CentOS release 6.6 and limit SSH by IP.
Hello.
I like to limit SSH connection to my server that use "CentOS release 6.6 (Final)". I Google it and found two ways: 1- use "hosts.allow" file 2- use "sshd_config". Which one is better and more easy? Thank you. |
The latter. tcpd aka tcpwrappers support is discontinued in modern versions of OpenSSH server. You can do the same filtering with iptables instead. However, to keep everything in one place, you can modify sshd_config to accept or block connections from specific IPs. You might even put it inside a Match block. See the manual page for sshd_config for the authoritative specifics.
|
What why and how of tcpwrappers
by yours truly. 6.6 is eligible. |
my personal preference is to use ipsets with iptables, works well on CentOS 6, but there have been issues with the ipset package in RHEL/CentOS 7.
With ipsets, instead of having to set-up a rule per ip, you can set rules per ipset and then add ips to the ruleset. For example you could do the following to get two groups for admins and developers with everything else blocked. ipset -N admins iphash ipset -A admins 10.0.0.10 ipset -A admins 10.0.1.10 ipset -N developers iphash ipset -A developers 10.1.0.15 ipset -A developers 172.16.23.72 iptables -I INPUT 3 -m conntrack --ctstate ESTABLISHED -j ACCEPT iptables -I INPUT 4 -m set --match-set admins src -j ACCEPT -m comment --comment "Admins ipset group can connect all" iptables -I INPUT 5 -p tcp -m conntrack --ctstate NEW --dport 22 -m set --match-set developers src -m limit --limit 12/hour --limit-burst 5 -m comment --comment "5 login attempts every 5 minutes" -j ACCEPT iptables -I INPUT 6 -j DROP of course to get to this level you would have to learn iptables and ipset but it gives you very explicit control over what you allow and do not allow to connect. To be fair the limit module still leaves me a tiny bit confused. |
I'd be tempted to do it at iptables level as it's closer up the chain. That way you can block/reject/drop the traffic before sshd even has the connection to consider.
Then add layers, the more layers the better. For example it's possible within .ssh/authorized_keys specify that a key is only valid from a specific IP address. |
Quote:
printf "DenyUsers " >> /tmp/denies # awk -F":" '{print $1}' | tr '\n' ' ' >> /tmp/denies EDITOR /tmp/denies -- manually move users you do want to allow, to next line with an AllowUsers cat /tmp/denies >> /etc/ssh/sshd_config rm /tmp/denies restart ssh and test. This way you further fine tune down the security. |
Quote:
Create a group "sshusers", use AllowGroups sshusers in your sshd config and then just add sshusers as a secondary group to the users allowed access. |
Quote:
|
Quote:
|
Quote:
Well the team I am in, we are constantly complaining about many MANY issues. I couldn't really respond to this earlier while I was at work for obvious reasons but honestly every company has issues and if not for our sys admin teams (of which I am in one) the company would have failed a long time ago... anyways not gunna hi-jack this thread too far away. I am instead looking at other jobs. Sorry apologies about doing things in a bit of a too simplistic way instead of a more functionally correct and secure method, the mindset is a bit off from where I'd like it to be sometimes. |
All times are GMT -5. The time now is 03:31 PM. |