Restricting SSH access based on boolean ip expression

gnaray2 · 11-04-2010, 07:15 PM

Hello,

I understand we can restrict SSH access based on ip address(s) using either tcpwrapper or iptable rules. I have an use case where SSH access is defined by a boolean expression - something like:

ssh.access "host=10.56.7.1 or (host=10.56.7.2 and host=10.56.7.3)"

10.56.7.1 - Allow (above expression evaluates to true)
10.56.7.2 - Deny (above expression evaluates to false)
10.56.7.3 - Deny (above expression evaluates to false)

Is there any simpler way to do this ? One way I can think of is to modify the SSH code and for each incoming ip address, evaluate the above expression, but I don't think that is a good way to do this.

Any help appreciated.

AlucardZero · 11-04-2010, 08:01 PM

How do you make a connection from more than one IP at once?

gnaray2 · 11-05-2010, 12:22 AM

No, it is going to be just from one ip. When the connection is made, it has to be evaluated against the Boolean expression.

To give another use case, the user can allow access from any ip in the 10.22.9 subnet except 10.22.9.170 and 10.22.9.169 using the following rule:
ssh.access "host=10.22.9.1/24 and host!=10.22.9.170,10.22.9.169"

win32sux · 11-05-2010, 05:18 AM

Quote:

Originally Posted by gnaray2

No, it is going to be just from one ip. When the connection is made, it has to be evaluated against the Boolean expression.

To give another use case, the user can allow access from any ip in the 10.22.9 subnet except 10.22.9.170 and 10.22.9.169 using the following rule:
ssh.access "host=10.22.9.1/24 and host!=10.22.9.170,10.22.9.169"

With iptables that would go like this (example):

Code:

iptables -A INPUT -p TCP --dport 22 -s 10.22.9.170 -j DROP
iptables -A INPUT -p TCP --dport 22 -s 10.22.9.169 -j DROP
iptables -A INPUT -p TCP --dport 22 -s 10.22.9.0/24 -j ACCEPT