Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
01-10-2007, 01:05 PM
|
#1
|
Member
Registered: Jan 2007
Posts: 32
Rep:
|
SSH on main IP only
I am hosting DNS servers, a Web server, and a POP3/SMTP server on my VPS. I can access SSH through all of these IPs. For security reasons, I want to only allow SSH on the main IP (which only I have - I don't use the main VPS IP for anything but SSH).
I can't seem to find a "bind IP" option in ssh_config or in the manpages for it. Does such an option exist?
Thanks!
Splenden
|
|
|
01-10-2007, 01:17 PM
|
#2
|
Senior Member
Registered: Aug 2003
Location: Glasgow
Distribution: Fedora / Solaris
Posts: 3,109
Rep:
|
Hi.
Have a look in 'man sshd_config' for the 'ListenAddress' option.
Dave
|
|
|
01-10-2007, 01:27 PM
|
#3
|
Member
Registered: Jan 2007
Posts: 32
Original Poster
Rep:
|
Thank you. I missed that.
Splenden
|
|
|
01-10-2007, 01:35 PM
|
#4
|
Member
Registered: Jan 2007
Posts: 32
Original Poster
Rep:
|
I added this to ssh_config (it was not in there at all, I checked):
ListenAddress my.ip.address.here:22
However, it did not work after I did a reload (/etc/init.d/sshd reload) and then, if I try to ssh out to another location from it, I get:
/etc/ssh/ssh_config: line 3: Bad configuration option: ListenAddress
/etc/ssh/ssh_config: terminating, 1 bad configuration options
It's not a CR/LF error, I edited it in nano on that machine.
Thanks!
Splenden
|
|
|
01-10-2007, 02:15 PM
|
#5
|
Senior Member
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora
Posts: 3,935
Rep:
|
ssh_config is for your client ssh software. sshd_config is for your daemon sshd software.
Are you trying to restrict to a network interface for the client or the daemon?
|
|
|
01-10-2007, 08:12 PM
|
#6
|
Member
Registered: Jan 2007
Posts: 32
Original Poster
Rep:
|
Oh. I'll try sshd_config and report back.
I'm trying to restrict SSH to broadcast on one IP only, which is only known by me (that way, it can only be guessed).
Splenden
|
|
|
02-16-2007, 02:56 PM
|
#7
|
LQ Newbie
Registered: Mar 2005
Location: NC
Distribution: Red Hat and Novell OES (formerly SUSE), LPI 101 and Net+
Posts: 25
Rep:
|
Thanks!
We got ours working!!!
Our problem was one letter the d !
Dang!
Be sure that you edit the sshd_config and not ssh_config.
Duh!
B
|
|
|
02-17-2007, 06:10 AM
|
#8
|
Member
Registered: Aug 2004
Location: India
Distribution: Redhat 9.0,FC3,FC5,FC10
Posts: 257
Rep:
|
You might also want to use /etc/hosts.deny on the 3 servers you're hosting on your VPS. Plus to lock down SSH even further you might want to look at this:
Code:
AllowUsers
This keyword can be followed by a list of user name patterns, separated by spaces. If specified, login is allowed only for user names that match one of the patterns. `*' and `?' can be used as wildcards in the patterns. Only user names are valid; a numerical user ID is not recognized. By default, login is allowed for all users. If the pattern takes the form USER@HOST then USER and HOST are separately checked, restricting logins to particular users from particular hosts.
Lastly wouldnt you want to allow some kind of access to your hosted servers. Maybe SSH access only from your main VPS IP? To troubleshoot in case something goes wrong?
I've never used a VPS though, so is it that you have complete control and can change internal configs of all your other servers by merely logging on to your main VPS IP?
Cheers
Arvind
|
|
|
All times are GMT -5. The time now is 04:24 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|