LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Suse/Novell
User Name
Password
Suse/Novell This Forum is for the discussion of Suse Linux.

Notices



Reply
 
Search this Thread
Old 03-28-2005, 04:52 PM   #1
nick1
Member
 
Registered: Oct 2004
Posts: 47

Rep: Reputation: 15
limit access to SSH server by IP


Greetings,

I'm a newbie to linux and just started using SuSE 9.1 Personal
I have the SSH server up and running.
I would like to restrict access to the SSH server by IP address.
For example, only a computer with an IP of 111.222.333.444 is allowed
to access the SSH server. Or, computers with IP's that start with
111.222.333.xxx are allowed to access the SSH server.

I've tried setting this option in the /etc/sysconfig/SuSEfirewall2 file:

# 10.)
# Which services should be accessible from trusted hosts/nets?
#
# Define trusted hosts/networks (doesnt matter if they are internal or
# external) and the TCP and/or UDP services they are allowed to use.
# Please note that a trusted host/net is *not* allowed to ping the firewall
# until you set it to allow also icmp!
#
# Choice: leave FW_TRUSTED_NETS empty or any number of computers and/or
# networks, seperated by a space. e.g. "172.20.1.1 172.20.0.0/16"
# Optional, enter a protocol after a comma, e.g. "1.1.1.1,icmp"
# Optional, enter a port after a protocol, e.g. "2.2.2.2,tcp,22"
#
FW_TRUSTED_NETS="192.168.1.103,ssh"

I stopped and restarted the firewall using these comands:

/sbin/SuSEfirewall2 stop
/sbin/SuSEfirewall2 start

however i was still able to connect to the SSH server from 192.168.1.102 which, according to the firewall rule, i shouldn't of been able to do this. Any suggestions?

Thanks for your time,

*Nick*
 
Old 03-28-2005, 08:44 PM   #2
auximini
Member
 
Registered: Dec 2003
Location: Calgary, AB
Distribution: Any!
Posts: 146

Rep: Reputation: 18
What if you try 22 instead of ssh?
 
Old 03-29-2005, 09:46 AM   #3
crozewski
LQ Newbie
 
Registered: Mar 2005
Location: New Jersey
Distribution: Fedora, SuSE, Debian(sparc32)
Posts: 17

Rep: Reputation: 0
nothingnothing

Last edited by crozewski; 12-03-2008 at 11:02 PM.
 
Old 03-29-2005, 12:43 PM   #4
nick1
Member
 
Registered: Oct 2004
Posts: 47

Original Poster
Rep: Reputation: 15
Thanks for replying. Here are the results of some different options i've tried so far:

FW_TRUSTED_NETS="192.168.1.103,22"
(still able to log into SSH server from 192.168.1.102)

FW_TRUSTED_NETS="192.168.1.103,22"
(error: the third paramter is for use with tcp, udp, and icmp only in FW_TRUSTED_NETS -> 192.168.1.103,ssh,22)

FW_TRUSTED_NETS="192.168.1.103,tcp,22"
(still able to log into SSH server from 192.168.1.102)

At this point, i think crozewski's theory is correct. That the computer doesn't understand that all other IP addresses should NOT be trusted. Any suggestions?

Thanks,

*Nick*
 
Old 03-29-2005, 01:01 PM   #5
auximini
Member
 
Registered: Dec 2003
Location: Calgary, AB
Distribution: Any!
Posts: 146

Rep: Reputation: 18
Is there a place in the firewall config to set a default policy of deny?
 
Old 03-29-2005, 01:14 PM   #6
nick1
Member
 
Registered: Oct 2004
Posts: 47

Original Poster
Rep: Reputation: 15
After searching through the SuSEfirewall2 config file, it doesn't look like there's an option to DENY anything, unfortunately. Does this restricted access by IP need to be setup somewhere in the SSH server and not in the firewall?

Thanks,

*Nick*
 
Old 03-29-2005, 05:36 PM   #7
nick1
Member
 
Registered: Oct 2004
Posts: 47

Original Poster
Rep: Reputation: 15
figure this one out....

i have to write the following in my HOSTS.DENY file (that's right, .DENY and not .ALLOW!)
in order to restrict access by IP address to my SSH server:

sshd:192.168.1.100:allow
sshd:all:deny

It was like the computer wasn't even reading the hosts.allow file.
So i tried using the hosts.deny file instead and bingo, it works now.
I can restrict access to the SSH server by IP.

So my next question is: how come SuSE isn't reading the hosts.allow file?
Is there a way i can test to make sure that SuSE really isn't reading the hosts.allow file?

Thanks,

*Nick*
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
limit user access Pacux Slackware 10 10-17-2005 07:52 AM
Unable to access my ssh server and ftp server from the Internet, but smtp works foxone Linux - Networking 1 05-28-2004 06:17 PM
limit access flex411 Linux - Security 12 03-09-2004 07:32 AM
limit directory access for ssh account spammity Linux - Security 2 02-02-2003 01:36 PM
SSH Q - How to limit access to certain directory Lexx Linux - Networking 1 03-06-2002 06:20 PM


All times are GMT -5. The time now is 04:50 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration