LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 12-09-2004, 10:01 PM   #1
ZilverZtream
LQ Newbie
 
Registered: Jul 2003
Location: Stockholm, SWEDEN
Distribution: Slackware 9.0
Posts: 6

Rep: Reputation: 0
Securing SSH


Hi.

I'd like some help on securing SSH.
What I'd like is to just let some specified IP addresses use it and just deny everyone else access.

How would I do this? (without deny IP addresses access to other services running on the box such as apache, glftpd etc)

Cheers,
Z
 
Old 12-09-2004, 10:58 PM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
The most common methods are with iptables or tcpwrappers (/etc/hosts.allow and hosts.deny). Using tcpwrappers is probably the easiest and most flexible. So to limit access to sshd use:

In /etc/hosts.deny put:
SSHD: ALL

Say we want to allow 1 system by hostname foo.com , another system with IP address of 12.34.56.78 and the entire 98.76.54.X netblock), we would then put the following in the /etc/hosts.allow file.

SSHD: foo.com 12.34.56.78 98.76.54.
 
Old 12-10-2004, 09:46 AM   #3
ZilverZtream
LQ Newbie
 
Registered: Jul 2003
Location: Stockholm, SWEDEN
Distribution: Slackware 9.0
Posts: 6

Original Poster
Rep: Reputation: 0
thx for the reply.

I've been playing around with the hosts file before and I tried your suggestion, but that didn't exclude people to connect and logon with a different IP.
Most likely cause the box I tried it on didn't use xinet.d to start services.

So are there any other ways to secure the Shell that is more generic?
Maybe editing the iptables to only allow specific IP's on port 22? But not sure on how to do that myself.
 
Old 12-10-2004, 12:36 PM   #4
michaelk
Moderator
 
Registered: Aug 2002
Posts: 19,694

Rep: Reputation: 3217Reputation: 3217Reputation: 3217Reputation: 3217Reputation: 3217Reputation: 3217Reputation: 3217Reputation: 3217Reputation: 3217Reputation: 3217Reputation: 3217
In the sshd_config file you can use AllowUsers for only specific usernames no matter the IP address:
 
Old 12-10-2004, 02:47 PM   #5
ZilverZtream
LQ Newbie
 
Registered: Jul 2003
Location: Stockholm, SWEDEN
Distribution: Slackware 9.0
Posts: 6

Original Poster
Rep: Reputation: 0
Ofcourse.. that'd done already.. but I need these accounts to only be able to logon with a specified IP.
Only got 3 accounts, so need to add 3 IP's that are valid to use SSHD.
 
Old 12-10-2004, 03:33 PM   #6
shy
Member
 
Registered: Dec 2002
Location: Russia
Distribution: ASP linux
Posts: 94

Rep: Reputation: 15
Run as root
Code:
iptables -A INPUT -p tcp -m tcp --dport 22 --source <allowed_host_1> -j ACCEPT
...
iptables -A INPUT -p tcp -m tcp --dport 22 --source <allowed_host_N> -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 22  -j DROP
This will drop any incoming packets going to your 22 port which were sent from not listed IP addresses.
Pay attention that your IP trust must not be the only protection.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
ssh-agent, ssh-add and ssh-keygen AND CVS raylpc Linux - General 2 11-19-2008 02:50 AM
Wierd happenings when securing SSH mattp Linux - Security 13 10-07-2005 07:00 AM
securing ssh robberttheman Linux - Security 8 08-27-2004 07:36 AM
Securing a system and its SSH install for access from the outside TheOneKEA Linux - Security 4 07-07-2004 03:27 PM
Securing SSH tarballedtux Linux - Security 3 11-16-2002 04:45 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 01:02 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration