LinuxQuestions.org
Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 04-22-2009, 04:05 AM   #1
jerome123
LQ Newbie
 
Registered: Apr 2009
Posts: 10

Rep: Reputation: 0
ssh server how to?


Hello,

For my work i must configurate a SSH server! but there are a few requirements, where the ssh server must comply. there may only be connected from a certain ip, and when you use ssh, you can't login as root.


kind regards!
 
Old 04-22-2009, 04:32 AM   #2
Dudydoo
Member
 
Registered: Sep 2003
Location: UK
Distribution: I use 'em all ;-)
Posts: 275

Rep: Reputation: 38
To prevent root from logging in add/set this is /etc/ssh/sshd_config:

Code:
PermitRootLogin no
To restrict certain IP address, you need to use TCP wrappers:

Code:
/etc/hosts.allow
/etc/hosts.deny
man 5 hosts_access
 
Old 04-22-2009, 04:38 AM   #3
kapilsingh
LQ Newbie
 
Registered: Apr 2009
Location: Indore, India
Distribution: ubuntu, centOS,RHEL,Mandriva
Posts: 10

Rep: Reputation: 0
Hello,

All the stuff related to ssh server resides in /etc/ssh

configuration file for ssh server is sshd_config (/etc/ssh/sshd_config)
here in this file you can use option "ListenAddress 0.0.0.0" to configure the server to listen for single IP address or some address ranges.

use "AllowUsers " or "DenyUsers" options is the solution of your second question.

refer : man 5 sshd_config

Thanks
Kapil Singh Kushwah
Linux System Administrator
Hotwax Media Inc
 
Old 04-22-2009, 05:52 AM   #4
Lee_Ball
Member
 
Registered: Jul 2005
Location: Manchester (UK)
Distribution: Fedora CentOS
Posts: 132

Rep: Reputation: 18
I'd recommend using iptables to restrict the SSH access as its easily managed.

Here is an example allowing the LAN and one WAN address to access the server on SSH port 22:

-A INPUT -s 89.192.7.9/255.255.255 -i eth0 -p tcp --dport 22 -j ACCEPT
-A INPUT -s 192.168.0.0/255.255.255.0 -i eth0 -p tcp --dport 22 -j ACCEPT

These two lines are thus, the first one allows any connections on port 22 to be ACCEPTed which ceom from 89.192.7.9 and the second line allows the subnet 192.168.0.* to connect to the server. You may or may not want this.

The iptables config file is located at /etc/sysconfig/iptables

I'd ensure that you have this at the top of the iptables script:

# Generated by iptables-save v1.2.11 on Tue Oct 31 17:13:50 2006
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

The numbers may be different, thats more or less a counter to say how many packets have been affected by that rule. (I believe).

The reason for this is some iptables have INPUT ACCEPT as the first entry. This would just accept all the packets regardless of your drop rules.
 
Old 04-22-2009, 06:13 AM   #5
jschiwal
LQ Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 671Reputation: 671Reputation: 671Reputation: 671Reputation: 671Reputation: 671
I use the "AllowUsers" item in /etc/ssh/sshd_config.

To allow only one user, add that users name. This is the username of the person on the server, not the client.

You can also use "username@hostname". The username is a local username. The hostname is the hostname or IP address of the client.

If you use AllowUsers, all other users are denied access. That is an easy way of disallowing system logins. If this weren't the case, you would need to add the system users to the "DenyUsers" list.

You might also consider using public key authentication. The instructions for doing this are detailed in the comments above the "UsePAM yes" line. Doing this, an attacker doesn't have the opportunity to guess the username & password. If you do this however, make sure that the user protects his private key with a strong passphrase. The passphrase protects the private key on the client. Since the unlocking of the passphrase is done on the client, the server can't enforce the use of a passphrase as a policy. This is the disadvantage of using pubkey authentication with ssh.
 
  


Reply

Tags
ssh


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables rules for web server email server,ftp and ssh,please help lightwing Linux - Networking 1 03-25-2009 09:58 PM
Using DSL and ssh / ssh-server to access the Windoze desktop GUI On2ndThought Linux - Server 4 11-16-2008 03:17 PM
ssh connection refused - trying to set up ssh server at home openSauce Linux - Server 10 10-18-2007 05:38 PM
Passwordless SSH with SSH commercial server and open ssh cereal83 Linux - General 7 04-18-2006 01:34 PM
Unable to access my ssh server and ftp server from the Internet, but smtp works foxone Linux - Networking 1 05-28-2004 06:17 PM


All times are GMT -5. The time now is 10:42 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration