SUSE / openSUSEThis Forum is for the discussion of Suse Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'm a newbie to linux and just started using SuSE 9.1 Personal
I have the SSH server up and running.
I would like to restrict access to the SSH server by IP address.
For example, only a computer with an IP of 111.222.333.444 is allowed
to access the SSH server. Or, computers with IP's that start with
111.222.333.xxx are allowed to access the SSH server.
I've tried setting this option in the /etc/sysconfig/SuSEfirewall2 file:
# 10.)
# Which services should be accessible from trusted hosts/nets?
#
# Define trusted hosts/networks (doesnt matter if they are internal or
# external) and the TCP and/or UDP services they are allowed to use.
# Please note that a trusted host/net is *not* allowed to ping the firewall
# until you set it to allow also icmp!
#
# Choice: leave FW_TRUSTED_NETS empty or any number of computers and/or
# networks, seperated by a space. e.g. "172.20.1.1 172.20.0.0/16"
# Optional, enter a protocol after a comma, e.g. "1.1.1.1,icmp"
# Optional, enter a port after a protocol, e.g. "2.2.2.2,tcp,22"
#
FW_TRUSTED_NETS="192.168.1.103,ssh"
I stopped and restarted the firewall using these comands:
however i was still able to connect to the SSH server from 192.168.1.102 which, according to the firewall rule, i shouldn't of been able to do this. Any suggestions?
Thanks for replying. Here are the results of some different options i've tried so far:
FW_TRUSTED_NETS="192.168.1.103,22"
(still able to log into SSH server from 192.168.1.102)
FW_TRUSTED_NETS="192.168.1.103,22"
(error: the third paramter is for use with tcp, udp, and icmp only in FW_TRUSTED_NETS -> 192.168.1.103,ssh,22)
FW_TRUSTED_NETS="192.168.1.103,tcp,22"
(still able to log into SSH server from 192.168.1.102)
At this point, i think crozewski's theory is correct. That the computer doesn't understand that all other IP addresses should NOT be trusted. Any suggestions?
After searching through the SuSEfirewall2 config file, it doesn't look like there's an option to DENY anything, unfortunately. Does this restricted access by IP need to be setup somewhere in the SSH server and not in the firewall?
i have to write the following in my HOSTS.DENY file (that's right, .DENY and not .ALLOW!)
in order to restrict access by IP address to my SSH server:
sshd:192.168.1.100:allow
sshd:all:deny
It was like the computer wasn't even reading the hosts.allow file.
So i tried using the hosts.deny file instead and bingo, it works now.
I can restrict access to the SSH server by IP.
So my next question is: how come SuSE isn't reading the hosts.allow file?
Is there a way i can test to make sure that SuSE really isn't reading the hosts.allow file?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.