LinuxQuestions.org
Help answer threads with 0 replies.
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
Reload this Page [SOLVED] How to limit SSH access for one account to only 2 addresses?
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 10-24-2017, 02:56 PM   #1
Woefdram
LQ Newbie
 
Registered: Oct 2017
Location: Netherlands
Distribution: Debian
Posts: 7

Rep: Reputation: Disabled
How to limit SSH access for one account to only 2 addresses?

My monitoring system uses SSH to do its business. I want the managed servers to only accept this login from 2 addresses: the IPv4 and IPv6 address of my monitoring server. Seems simple, but I can't figure out how to make that work.

I've seen several threads about exactly this, such as this one, and I studied the manpage. What I think I should do, is tell SSH to deny this user if he's not coming from either of these 2 addresses.

These are the last lines in my sshd_config:
Code:
Match Address !12.23.45.78
  DenyUsers nagios
Match Address !11:22:44:55::1
  DenyUsers nagios
But it doesn't seem to do a thing, because nagios can still login from any address.

Or it could even be simpler, without any Match element:
Code:
DenyUsers nagios@!12.23.45.78 nagios@!11:22:44:55::1
Same result: nagios can login from anywhere. So I tried it the other way around: first denying access and then allowing for the 2 addresses:

Code:
DenyUsers nagios

Match Address 12.23.45.78
  AllowUsers nagios

Match Address 11:22:44:55::1
  AllowUsers nagios
But now nagios can't login from any address. Moving the top line to the bottom doesn't change it either. Whatever I try, nagios can either login from anywhere or nowhere at all.

I'm sure it's something small, but I can't figure out how to make this work.

Anyone?
 
Old 10-25-2017, 10:12 AM   #2
Woefdram
LQ Newbie
 
Registered: Oct 2017
Location: Netherlands
Distribution: Debian
Posts: 7

Original Poster
Rep: Reputation: Disabled
Found it. Or better: someone else found it for me:

http://forums.debian.net/viewtopic.p...35094&#p657213

Not sure if the problem is in SSH or in my understanding of it, but if I add a * to the match list, it suddenly works as desired

Code:
Match Address !12.23.45.78,!11:22:44:55::1,*
    DenyUsers nagios
A match will not occur if not at least one of the tests is positive, that's the idea I think. Adding the wildcard does that.
 
Old 10-25-2017, 01:25 PM   #3
Sefyir
Member
 
Registered: Mar 2015
Distribution: Linux Mint
Posts: 634

Rep: Reputation: 316Reputation: 316Reputation: 316Reputation: 316
This might be helpful as a resource
https://www.linuxquestions.org/quest...ts-4175530596/
 
  


Reply



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Can I use iptables to limit bandwidth to certain IP addresses and MAC addresses baronobeefdip Linux - Networking 2 01-07-2014 07:36 PM
limit access to SSH server by IP nick1 SUSE / openSUSE 6 03-29-2005 04:36 PM
limit directory access for ssh account spammity Linux - Security 2 02-02-2003 12:36 PM
How do I restrict ssh access to certain ip addresses? 360 Linux - Networking 5 04-05-2002 08:04 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:57 AM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration