Securing SSH
Hi.
I'd like some help on securing SSH. What I'd like is to just let some specified IP addresses use it and just deny everyone else access. How would I do this? (without deny IP addresses access to other services running on the box such as apache, glftpd etc) Cheers, Z |
The most common methods are with iptables or tcpwrappers (/etc/hosts.allow and hosts.deny). Using tcpwrappers is probably the easiest and most flexible. So to limit access to sshd use:
In /etc/hosts.deny put: SSHD: ALL Say we want to allow 1 system by hostname foo.com , another system with IP address of 12.34.56.78 and the entire 98.76.54.X netblock), we would then put the following in the /etc/hosts.allow file. SSHD: foo.com 12.34.56.78 98.76.54. |
thx for the reply.
I've been playing around with the hosts file before and I tried your suggestion, but that didn't exclude people to connect and logon with a different IP. Most likely cause the box I tried it on didn't use xinet.d to start services. So are there any other ways to secure the Shell that is more generic? Maybe editing the iptables to only allow specific IP's on port 22? But not sure on how to do that myself. |
In the sshd_config file you can use AllowUsers for only specific usernames no matter the IP address:
|
Ofcourse.. that'd done already.. but I need these accounts to only be able to logon with a specified IP.
Only got 3 accounts, so need to add 3 IP's that are valid to use SSHD. |
Run as root
Code:
iptables -A INPUT -p tcp -m tcp --dport 22 --source <allowed_host_1> -j ACCEPT Pay attention that your IP trust must not be the only protection. |
All times are GMT -5. The time now is 06:33 PM. |