Correct me if im wrong for restricting SSH access

sathyguy · 01-17-2006, 04:11 AM

Friends,

We have RHEL AS 3.0 with Oracle 9i database.
We have 5 branches(100 users) connecting to our oracle database which is inside the linux server.
We have to restrict the SSH connection by ipaddress.
We have not enabled the browsing(internet) option in our server.
I just want to disable everyone to access our server except from 3 ip's.
So please go through the following and correct me if im wrong....

Step 1:
/etc/hosts.deny
sshd: ALL

Step 2:
/etc/hosts.allow
sshd: 192.56.3.23 192.56.3.33 152.32.7.13

Step 3:
/etc/ssh/sshd_config

Port 110101010 (if i change the port number will it affects the users who are all connecting to oracle database?)

PasswordAuthentication no
PermitEmptyPassword no
StrictModes yes
Protocol 2

if i have to do any other changes in the step 3 please point out the changes.

Step 4:
i checked in /etc/sysconfig but there is no file called iptables.
there are 2 other files ip6tables-config and iptables-config.
So i thing the iptables are not installed. if its must then advice me the steps.
Also, after doing step1,2,3 the step 4 is not necessary....Am i right?

Finally my question is.....if i do the above changes in my linux box will it affect the oracle database which is inside our linux box?
And also, the users who are all connected to oracle database will be affected....

Please treat this as urgent.....

thanks & Regards
Sathyguy

~=gr3p=~ · 01-17-2006, 05:03 AM

can't comment on the oracle part but for iptables u first run
# service iptables save

and it create a file /etc/sysconfig/iptables

simple rules for SSH in addition to tcp wrappers:

# iptables -A INPUT -s <allowed_IP> -d <server IP> -p tcp --dport 22 -j ACCEPT

# iptables -A INPUT -s <Your_NETWORK> -d <server IP> -p tcp --dport 22 -j REJECT

Hardcore rules:
# iptables -A INPUT -p tcp --dport 22 -m mac --mac-source <allowed machine MAC address> -j ACCEPT

# iptables -A INPUT -s <Your_NETWORK> -d <server IP> -p tcp --dport 22 -j REJECT

other wise your SSH look good. Two more options u might add to allow only particular users:

AllowUsers user1 user2 user3 usern
PermitRootLogin No

You can login as user1 and then su - root

sathyguy · 01-17-2006, 05:15 AM

gr3p
Thanks for your reply...
Suppose, im not at all touching the iptables....im doing all the rest of the changes...
will there be a security hole.
also, what about the port?

Can anyone help me in the oracle part of my question?

Brian Knoblauch · 01-17-2006, 06:59 AM

Changing the SSH port shouldn't affect Oracle. Oracle connections I believe are on one of the (much higher) SQL ports. (1585 or something like that?). Not real sure anymore on the port number, haven't run Oracle for years

sathyguy · 01-17-2006, 11:59 PM

gr3p
Now my question is....
Suppose, im not at all touching the iptables....
I mean...if im not creating the iptables....
im doing all the rest of the changes...
will there be a security hole.