ssh server how to?

jerome123 · 04-22-2009, 03:05 AM

Hello,

For my work i must configurate a SSH server! but there are a few requirements, where the ssh server must comply. there may only be connected from a certain ip, and when you use ssh, you can't login as root.

kind regards!

Dudydoo · 04-22-2009, 03:32 AM

To prevent root from logging in add/set this is /etc/ssh/sshd_config:

Code:

PermitRootLogin no

To restrict certain IP address, you need to use TCP wrappers:

Code:

/etc/hosts.allow
/etc/hosts.deny
man 5 hosts_access

kapilsingh · 04-22-2009, 03:38 AM

Hello,

All the stuff related to ssh server resides in /etc/ssh

configuration file for ssh server is sshd_config (/etc/ssh/sshd_config)
here in this file you can use option "ListenAddress 0.0.0.0" to configure the server to listen for single IP address or some address ranges.

use "AllowUsers " or "DenyUsers" options is the solution of your second question.

refer : man 5 sshd_config

Thanks
Kapil Singh Kushwah
Linux System Administrator
Hotwax Media Inc

Lee_Ball · 04-22-2009, 04:52 AM

I'd recommend using iptables to restrict the SSH access as its easily managed.

Here is an example allowing the LAN and one WAN address to access the server on SSH port 22:

-A INPUT -s 89.192.7.9/255.255.255 -i eth0 -p tcp --dport 22 -j ACCEPT
-A INPUT -s 192.168.0.0/255.255.255.0 -i eth0 -p tcp --dport 22 -j ACCEPT

These two lines are thus, the first one allows any connections on port 22 to be ACCEPTed which ceom from 89.192.7.9 and the second line allows the subnet 192.168.0.* to connect to the server. You may or may not want this.

The iptables config file is located at /etc/sysconfig/iptables

I'd ensure that you have this at the top of the iptables script:

# Generated by iptables-save v1.2.11 on Tue Oct 31 17:13:50 2006
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

The numbers may be different, thats more or less a counter to say how many packets have been affected by that rule. (I believe).

The reason for this is some iptables have INPUT ACCEPT as the first entry. This would just accept all the packets regardless of your drop rules.

jschiwal · 04-22-2009, 05:13 AM

I use the "AllowUsers" item in /etc/ssh/sshd_config.

To allow only one user, add that users name. This is the username of the person on the server, not the client.

You can also use "username@hostname". The username is a local username. The hostname is the hostname or IP address of the client.

If you use AllowUsers, all other users are denied access. That is an easy way of disallowing system logins. If this weren't the case, you would need to add the system users to the "DenyUsers" list.

You might also consider using public key authentication. The instructions for doing this are detailed in the comments above the "UsePAM yes" line. Doing this, an attacker doesn't have the opportunity to guess the username & password. If you do this however, make sure that the user protects his private key with a strong passphrase. The passphrase protects the private key on the client. Since the unlocking of the passphrase is done on the client, the server can't enforce the use of a passphrase as a policy. This is the disadvantage of using pubkey authentication with ssh.