Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
For my work i must configurate a SSH server! but there are a few requirements, where the ssh server must comply. there may only be connected from a certain ip, and when you use ssh, you can't login as root.
All the stuff related to ssh server resides in /etc/ssh
configuration file for ssh server is sshd_config (/etc/ssh/sshd_config)
here in this file you can use option "ListenAddress 0.0.0.0" to configure the server to listen for single IP address or some address ranges.
use "AllowUsers " or "DenyUsers" options is the solution of your second question.
refer : man 5 sshd_config
Thanks
Kapil Singh Kushwah
Linux System Administrator
Hotwax Media Inc
These two lines are thus, the first one allows any connections on port 22 to be ACCEPTed which ceom from 89.192.7.9 and the second line allows the subnet 192.168.0.* to connect to the server. You may or may not want this.
The iptables config file is located at /etc/sysconfig/iptables
I'd ensure that you have this at the top of the iptables script:
# Generated by iptables-save v1.2.11 on Tue Oct 31 17:13:50 2006
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
The numbers may be different, thats more or less a counter to say how many packets have been affected by that rule. (I believe).
The reason for this is some iptables have INPUT ACCEPT as the first entry. This would just accept all the packets regardless of your drop rules.
I use the "AllowUsers" item in /etc/ssh/sshd_config.
To allow only one user, add that users name. This is the username of the person on the server, not the client.
You can also use "username@hostname". The username is a local username. The hostname is the hostname or IP address of the client.
If you use AllowUsers, all other users are denied access. That is an easy way of disallowing system logins. If this weren't the case, you would need to add the system users to the "DenyUsers" list.
You might also consider using public key authentication. The instructions for doing this are detailed in the comments above the "UsePAM yes" line. Doing this, an attacker doesn't have the opportunity to guess the username & password. If you do this however, make sure that the user protects his private key with a strong passphrase. The passphrase protects the private key on the client. Since the unlocking of the passphrase is done on the client, the server can't enforce the use of a passphrase as a policy. This is the disadvantage of using pubkey authentication with ssh.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.