Friday, July 25, 2008

How To Allow and Deny SSH Access To Selected Hosts and IP Addresses

With default OpenSSH installation, SSH allows access to any clients. This retriction can be configured to allow SSH access only to certain hosts and IP addresses to decrease unauthorized SSH login attempts to known and particular computer hosts and IP addresses only.

SSH Access Restrictions via TCP Wrapper

Step One

1. Backup and modify /etc/hosts.allow

# nano -w /etc/hosts.allow

Allow and Deny SSH Access to Specific Hosts / IP Addresses

To allow SSH access to IP address 83.83.83.83 , modify /etc/hosts.allow to reflect the below lines

sshd: 83.83.83.83

Access will be granted if both pairs represent a match. TCP wrappers should allow access if a matching SSH protocol and an IP address 83.83.83.83 is present from the requesting connection.

To allow SSH access to all hosts and/or subdomain(s) that is part of the parent domain yahoo.com

sshd:  .yahoo.com

To grant SSH access to multiple IP address, simply append multiple address as shown

sshd: 83.83.83.83 127.0.0.1 83.83.83.84 192.168.1.1

To allow SSH access to starting IP address

sshd: 192.168.

To allow SSH access with network IP netmask

sshd: 192.168.1.0/255.255.255.0

To use asterisk (*) from /etc/hosts.allow

sshd: *.yahoo.com

To specify a large set of IP addresses and known hosts from a file

sshd:  /etc/allowed.txt

To specify multiple hosts and IP addresses with excemption using except TCP wrapper operator

sshd: .yahoo.com EXCEPT search.yahoo.com

To allow access to everyone under .yahoo domain except 83.83.83.83

sshd: *.yahoo.com EXCEPT 83.83.83.83

To specify multiple SSH access restriction with multiple lines

sshd: 111.111.111.111

sshd: 222.222.222.222

If the above access lists rules appears inside /etc/hosts.allow, TCP wrappers allows the request. If the above lines appears from /etc/hosts.deny, TCP wrappers deny the request.

Step Two

To deny any other ssh access except from the ones listed from /etc/hosts.allow, backup and modify /etc/hosts.deny file

ALL: sshd

Save and exit.

All is done.

Posted by VeRTiTO at 1:46 AM

Labels:

0 comments:

Post a Comment

Sign up for PayPal and start accepting credit card payments instantly.
Subscribe to: Post Comments (Atom)
ILoveTux - howtos and news | About | Contact | TOS | Policy