LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   how to configure SSH to allow or deny specify host(ip address). (https://www.linuxquestions.org/questions/linux-newbie-8/how-to-configure-ssh-to-allow-or-deny-specify-host-ip-address-610246/)

hocheetiong 12-31-2007 04:58 PM

how to configure SSH to allow or deny specify host(ip address).
 
hi, /etc/ssh/sshd_config i just only know to configure allow user:

AllowUser user1 user2
AllowUser michael@linuxsystem

How to configure deny from both directive? is it DenyUser directive correct?

If i want only allow or deny Host(ip address), how to configure, what directive?

AllowHost
DenyHost

? is it correct?

Thank you.

btmiller 12-31-2007 05:17 PM

The AllowUsers and DenyUsers support the user@host syntax and also support wildcards. IIRC, if you have an AllowUsers directive, only users/hosts specified by it will be allowed to connect and all others will be denied by default. The sshd_config and ssh_config man pages have some further info on this subject.

samix_119 01-01-2008 12:07 AM

Salaam,

just use tcp wrappers!!!

go to the file /etc/hosts.deny and add this entry

sshd: 192.168.0.1/255.255.255.0

if the above does not work then try the same entry without the netmask

sshd: 192.168.0.1


This should God willing block out the ip u wanna block!

Regards

muralee29477 01-01-2008 01:39 AM

Hi everybody

you can use iptables or TCP wrappers

but i prefer iptables

it will serve your requirments

good luck
muralee

ashwani kumar mishra 01-01-2008 05:18 AM

ssh (SSH client) is a program for logging into a remote
machine and for executing commands on a remote machine. It
is intended to replace rlogin and rsh, and provide secure
encrypted communications between two untrusted hosts over an
insecure network. X11 connections and arbitrary TCP/IP
ports can also be forwarded over the secure channel.




ssh implements the RSA authentication protocol
automatically. The user creates his/her RSA key pair by
running ssh-keygen(1). This stores the private key in
$HOME/.ssh/identity and the public key in
$HOME/.ssh/identity.pub in the user's home directory. The
user should then copy the identity.pub to
$HOME/.ssh/authorized_keys in his/her home directory on the
remote machine (the authorized_keys file corresponds to the
conventional $HOME/.rhosts file, and has one key per line,
though the lines can be very long). After this, the user
can log in without giving the password. RSA authentication
is much more secure than rhosts authentication.



The StrictHostKeyChecking option can be used to
prevent logins to machines whose host key is not known or
has changed.

The options are as follows:

-a Disables forwarding of the authentication agent
connection.

-A Enables forwarding of the authentication agent
connection. This can also be specified on a per-host
basis in a configuration file.

Archiviste 01-01-2008 11:19 AM

Quote:

Originally Posted by hocheetiong (Post 3007032)
hi, /etc/ssh/sshd_config i just only know to configure allow user:

AllowUser user1 user2
AllowUser michael@linuxsystem

How to configure deny from both directive? is it DenyUser directive correct?

If i want only allow or deny Host(ip address), how to configure, what directive?

AllowHost
DenyHost

? is it correct?

Thank you.

As mentionned before, tcpwrappers is the way to go:
http://www.clug.org/presentations/se...pwrappers.html

A nice trick once it is installed:

/etc/hosts.deny is checked before /etc/hosts.allow, so you can go

* hosts.deny
ALL : ALL

first, we block everything from everyone,

* hosts.allow
ALL : localhost
sshd: 192.168.0.22
proftpd: 192.168.0.22

which means only 192.168.0.22 on your local network
can access ssh or the proftp server on that machine.

If you don't want to or can't block ALL in hosts.deny (ex. you log in at work from a dynamically-addressed machine like I do), you can use the DenyHosts script (http://denyhosts.sourceforge.net/) to 'automagically' generate the list of denied hosts for you from the /var/log/auth.log file. I know it's available in Ubuntu's package list, otherwise you can get a rpm from the website above.

wartstew 01-01-2008 02:18 PM

Options for automatically denying brute force attacks
 
I use a couple of programs (and there are other good ones as well) that automatically manage the blocking and unblocking of hosts based on if they try too many times to guess logins and passwords to common services like ssh and ftp. I found they work very well to eliminate annoying brute force attacks.

The program "blockhosts" works with TCP wrappers (the /etc/hosts.deny and /etc/hosts.allow stuff). I use it on a hacked embedded device I have that is stuck with a 2.4 version kernel.

The program "fail2ban" works with iptables, which means it requires kernel 2.6 with iptables enabled, but is better because it bans IPs at the kernel level, which is probably faster and safer. On my Debian machines, I found "fail2ban" just works out-of-the-box with a default install -- nice.

Check you distribution's repositories for these of Google for the sources if you need to. I had to compile blockhosts myself for my PPC based Linkstation for example.

samix_119 01-01-2008 11:47 PM

I think iptables is better than tcp wrappers coz it will block the user even before it can reach the application, hence lesser chances of getting cracked.

The sshd daemon should not be overloaded with meaningless blocking and host filtering activities as there are better options like tcp wrappers and iptables that are specifically designed to do this job.

sixerjman 01-17-2008 12:24 PM

I agree with Samix, IPTABLES is the way to go. I use Firestarter (wrapper around IPTABLES) as the firewall and block all access to the SSH port by default, allowing only selected hosts via Firestarter configuration.

wartstew 01-17-2008 01:40 PM

I too use Firestarter
 
Yes, Firestarter is a nice X app that not only configures IPTABLES easily, but also give you real-time monitoring of activity. Because it only configures IPTABLES, you don't actually have to have it running all the time if you don't want to for the filtering action of IPTABLES to be working. It only needs to run if you wish to change things, or monitor what is going on.


All times are GMT -5. The time now is 04:09 PM.