LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 04-07-2010, 05:03 PM   #1
cK`
LQ Newbie
 
Registered: Apr 2010
Location: Orange
Distribution: Unbuntu Server 9.10
Posts: 28

Rep: Reputation: 15
Problem with ssh listening address


Hello everyone,
First off i would like to start off by apolizing for editing a former thread identical to this one as solved. I should have posted a solution for everyone to see.

But apparently its not solved because i reinstalled unbuntu server recently and i am trying to get it to only allow one computer to accsess it.

so after doing this etc/ssh/ sudo nano sshd_config


I uncomment #ListenAddress 0.0.0.0

Ok so i am trying to accsess my server from a windows machine so i tpyed

ipconfig /all to find my ip

I found the IPV4 address and i put that address like so

ListenAddress 192.168.1.22

But when i try and connect it says connection refused.

Does anyone know what i am doing wrong?
 
Old 04-07-2010, 05:09 PM   #2
ncsuapex
Member
 
Registered: Dec 2004
Location: Raleigh, NC
Distribution: CentOS 2.6.18-53.1.4.el5
Posts: 770

Rep: Reputation: 43
Not sure why you would uncomment out the #listenaddress line(Ive never used it that way) but if you want to allow user access from just one IP you can use:

Allowusers username@192.168.1.22

Also anytime you make changes to sshd_config you need to restart the ssh service.

Are you connecting to the server from 192.168.1.22? If you are connecting from outside the subnet what you're trying to do wont work.


Edit:

According to the man pages for sshd_config:

"ListenAddress"

Specifies the local addresses sshd should listen on.


So changing that to your remote address(192.168.1.22) is not going to work.

Last edited by ncsuapex; 04-07-2010 at 05:25 PM. Reason: ListenAddress
 
1 members found this post helpful.
Old 04-07-2010, 05:40 PM   #3
cK`
LQ Newbie
 
Registered: Apr 2010
Location: Orange
Distribution: Unbuntu Server 9.10
Posts: 28

Original Poster
Rep: Reputation: 15
Hmm ok,

I do not know what "listens on" means.

I thought it meant what computer it will allow to connect, but i guess i am wrong.


When you say use the line

AllowUser username@196.192.1.22

Do i put my windows user name or unbuntu? I am assuming its my windows.
 
Old 04-07-2010, 05:45 PM   #4
cK`
LQ Newbie
 
Registered: Apr 2010
Location: Orange
Distribution: Unbuntu Server 9.10
Posts: 28

Original Poster
Rep: Reputation: 15
Acutally, windowsusername@192.168.1.22 i cant log in anymore, i get prompt for username, then i type in password but it says access denied.

Oh i also tryed unbuntuUserName@ipForRemotePc same thing got locked out on all comps

Last edited by cK`; 04-07-2010 at 06:01 PM.
 
Old 04-07-2010, 06:07 PM   #5
Sky.Crawler
LQ Newbie
 
Registered: Apr 2010
Posts: 21

Rep: Reputation: 3
Consider using Public Key Authentication.

If you setup the server with only one public key, you can stick the corresponding private key on the computer you want to have exclusive access to the server. That removes the problem of limiting the IP addresses.

If you setup public key authentication, then disable passwords, you also remove the risk of the SSH port being brute-forced.
 
Old 04-07-2010, 06:15 PM   #6
cK`
LQ Newbie
 
Registered: Apr 2010
Location: Orange
Distribution: Unbuntu Server 9.10
Posts: 28

Original Poster
Rep: Reputation: 15
I did that, i was reading through tutorials and it seemed they all suggested key authing and only allowing one ip to connect.

I am not familiar with what tools hackers use to get into servers, so i do not know if their is a way around key auth. I just thought i would restrict what ip ssh would let access. (Just another hump for a potential hacker)


So ya what i want to do is lock down ssh as much as possible, i have done this so fair

1. disabled root login
2. changed standard port
3 Enabled key auth.
4. disable password login

And what i am having trouble with is

5. make ssh only allow my personal pc to connect to it via putty. ( i dont even want it to allow other people to be given the option of puttying in a username).


Is key auth safe enough to only rely on, without limiting the ips that can connect?

Last edited by cK`; 04-07-2010 at 06:22 PM.
 
Old 04-07-2010, 06:33 PM   #7
Sky.Crawler
LQ Newbie
 
Registered: Apr 2010
Posts: 21

Rep: Reputation: 3
Quote:
Originally Posted by cK` View Post
Is key auth safe enough to only rely on, without limiting the ips that can connect?
Yes, as long as passwords are disabled, as you have done.

Check out TCP Wrappers. If you want to continue with the IP setup.

These deal with two files:
/etc/hosts.allow
/etc/hosts.deny

.allow rules trump the .deny rules.

Go here and scroll down to 'hosts.allow and hosts.deny'.

By putting:

ALL : ALL

in the .deny file and:

sshd : 192.168.

in the .allow file, your LAN should be secure. The '192.168.' covers the range of your local LAN, in case your router gives out dynamic IP addresses.

Last edited by Sky.Crawler; 04-07-2010 at 06:39 PM. Reason: More information
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Bind - Address already in use - How to get process listening on the port in C? hgrover Linux - Networking 0 03-21-2008 02:52 AM
Howto do Secured ssh from port https or port80(standard) to ssh d listening port 22 ? Xeratul Linux - General 4 11-23-2006 07:09 AM
ssh listening on port 22 sharpie Linux - Security 9 06-08-2004 04:28 PM
Send mail listening address? bradyc Linux - Newbie 4 02-06-2004 09:49 AM
ssh IP address problem demain Linux - Newbie 4 01-30-2004 05:57 PM


All times are GMT -5. The time now is 09:31 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration