LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Restrict OpenSSH to device (https://www.linuxquestions.org/questions/linux-networking-3/restrict-openssh-to-device-4175624976/)

platypo 03-05-2018 08:59 AM
Restrict OpenSSH to device
 
I am trying to restrict sshd to one device by leaving the following line in /etc/ssh/sshd_config uncommented:

Code:
ListenAddress 10.0.0.1
Is that all that has to be done to make the ssh-daemon listen on only one interface?

In my case i can still connect on all devices after a fresh reboot with the above configuration but weirdly if i restart sshd.service manually it seems to work properly.

scasey 03-05-2018 09:08 AM
Yes. That is how to restrict sshd to a single IP address (not device, although an IP address can only be on one device at a time)

Out production server uses 5 IP addresses (long story). One is used only for sshd. Attempts to ssh to any other IP on that server just hang...

platypo 03-05-2018 02:31 PM
Quote:
Originally Posted by scasey (Post 5827493)
Yes. That is how to restrict sshd to a single IP address (not device, although an IP address can only be on one device at a time)

Out production server uses 5 IP addresses (long story). One is used only for sshd. Attempts to ssh to any other IP on that server just hang...
thank you.
So how can i avoid ssh login on the other device/address, i have no idea where to start (distribution is archlinux)

scasey 03-05-2018 05:03 PM
If you have configured sshd with
Code:
ListenAddress 10.0.0.1
and restarted the sshd service, other addresses won't be listening on port 22 (or whatever port you've configured sshd to listen on).

Use
Code:
netstat -tnlp
to see what's listening where:
Code:
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address          Foreign Address        State      PID/Program name
tcp        0      0 0.0.0.0:111            0.0.0.0:*              LISTEN      1/systemd  <-- listening on all addresses
...
tcp        0      0 192.168.0.55:22        0.0.0.0:*              LISTEN      1174/sshd  <-- listening on 192.168.0.55 only
Not sure why that wouldn't survive a reboot. You are changing in /etc/ssh/sshd_config, correct? The sshd.service is enabled?

platypo 03-06-2018 04:49 AM
I seem to have found the problem: for some reason sshd.socket is run at boot wich listens on all devices while sshd.service is disabled.
I still wonder, doesn't the socket use sshd_config?

scasey 03-06-2018 10:23 AM
Don't know what sshd.socket is...Why do you have the sshd.service disabled? If it's enabled, it will use the sshd_config at boot time.


All times are GMT -5. The time now is 07:19 AM.