how to configure SSH to allow or deny specify host(ip address).
Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
The AllowUsers and DenyUsers support the user@host syntax and also support wildcards. IIRC, if you have an AllowUsers directive, only users/hosts specified by it will be allowed to connect and all others will be denied by default. The sshd_config and ssh_config man pages have some further info on this subject.
ssh (SSH client) is a program for logging into a remote
machine and for executing commands on a remote machine. It
is intended to replace rlogin and rsh, and provide secure
encrypted communications between two untrusted hosts over an
insecure network. X11 connections and arbitrary TCP/IP
ports can also be forwarded over the secure channel.
ssh implements the RSA authentication protocol
automatically. The user creates his/her RSA key pair by
running ssh-keygen(1). This stores the private key in
$HOME/.ssh/identity and the public key in
$HOME/.ssh/identity.pub in the user's home directory. The
user should then copy the identity.pub to
$HOME/.ssh/authorized_keys in his/her home directory on the
remote machine (the authorized_keys file corresponds to the
conventional $HOME/.rhosts file, and has one key per line,
though the lines can be very long). After this, the user
can log in without giving the password. RSA authentication
is much more secure than rhosts authentication.
The StrictHostKeyChecking option can be used to
prevent logins to machines whose host key is not known or
The options are as follows:
-a Disables forwarding of the authentication agent
-A Enables forwarding of the authentication agent
connection. This can also be specified on a per-host
basis in a configuration file.
/etc/hosts.deny is checked before /etc/hosts.allow, so you can go
ALL : ALL
first, we block everything from everyone,
ALL : localhost
which means only 192.168.0.22 on your local network
can access ssh or the proftp server on that machine.
If you don't want to or can't block ALL in hosts.deny (ex. you log in at work from a dynamically-addressed machine like I do), you can use the DenyHosts script (http://denyhosts.sourceforge.net/) to 'automagically' generate the list of denied hosts for you from the /var/log/auth.log file. I know it's available in Ubuntu's package list, otherwise you can get a rpm from the website above.
Options for automatically denying brute force attacks
I use a couple of programs (and there are other good ones as well) that automatically manage the blocking and unblocking of hosts based on if they try too many times to guess logins and passwords to common services like ssh and ftp. I found they work very well to eliminate annoying brute force attacks.
The program "blockhosts" works with TCP wrappers (the /etc/hosts.deny and /etc/hosts.allow stuff). I use it on a hacked embedded device I have that is stuck with a 2.4 version kernel.
The program "fail2ban" works with iptables, which means it requires kernel 2.6 with iptables enabled, but is better because it bans IPs at the kernel level, which is probably faster and safer. On my Debian machines, I found "fail2ban" just works out-of-the-box with a default install -- nice.
Check you distribution's repositories for these of Google for the sources if you need to. I had to compile blockhosts myself for my PPC based Linkstation for example.
I think iptables is better than tcp wrappers coz it will block the user even before it can reach the application, hence lesser chances of getting cracked.
The sshd daemon should not be overloaded with meaningless blocking and host filtering activities as there are better options like tcp wrappers and iptables that are specifically designed to do this job.
I agree with Samix, IPTABLES is the way to go. I use Firestarter (wrapper around IPTABLES) as the firewall and block all access to the SSH port by default, allowing only selected hosts via Firestarter configuration.
Yes, Firestarter is a nice X app that not only configures IPTABLES easily, but also give you real-time monitoring of activity. Because it only configures IPTABLES, you don't actually have to have it running all the time if you don't want to for the filtering action of IPTABLES to be working. It only needs to run if you wish to change things, or monitor what is going on.