You are not logged in.
- Topics: Active | Unanswered
#1 2006-08-20 00:01:32
- jskier
- Member
- From: Minnesota, USA
- Registered: 2003-07-30
- Posts: 383
- Website
Restricting ssh over Internet to specific networks
Hello,
I would like to secure SSH more so than it already is (root is off, login attempts are limited). I still get people from Holland and Thialand trying to get in, and would like to limit access to local public libraries and my cable company (the ranges I have already figured out). I have found some stuff on google already but would like to know fellow Archers ideas or what they have implemented.
Currently all access in the hosts.allow file is allowed (I run several other local and Internet wide services). I use my routers firewall to do the firewalling of my services but it won't allow me to set hosts.
Any help would be greatly appreciated, thank you.
--
JSkier
Offline
#2 2006-08-20 01:09:26
- elasticdog
- Member
- From: Washington, USA
- Registered: 2005-05-02
- Posts: 995
- Website
Re: Restricting ssh over Internet to specific networks
Why not just restrict access specifically for <code>sshd</code> in your <code>hosts.allow</code> file? That way your other services won't be effected. Mine, for instance, looks something like this:
#
# /etc/hosts.allow
#
# Allow ssh access to the local network
sshd: 192.168.1.0/255.255.255.0
# Restrict outside SSH access to Purdue University IP addresses
sshd: 128.210.0.0/255.255.0.0
sshd: 128.211.0.0/255.255.0.0
# End of fileIf you're having numerous break-in attempts, I've also found that denyhosts is extremely effective and easy to set up. It's available in the extra repo.
Offline
#3 2006-08-20 20:06:22
- jskier
- Member
- From: Minnesota, USA
- Registered: 2003-07-30
- Posts: 383
- Website
Re: Restricting ssh over Internet to specific networks
I setup the denyhosts app, sounds promising. Upon running it I got a good deny list already, I'll see how that holds up. Thanks for the heads up on that.
--
JSkier
Offline
#4 2006-08-29 02:04:18
- soloport
- Member
- Registered: 2005-03-01
- Posts: 442
Re: Restricting ssh over Internet to specific networks
Interesting. Have recently seen an old Red Hat server with syntax:
sshd: 192.168.1.0/255.255.255.0: ALLOW
But this syntax doesn't work with Arch (must omit ': ALLOW'). Why?
sshd: 192.168.1.0/255.255.255.0
.
Offline
#5 2006-08-29 02:28:05
- elasticdog
- Member
- From: Washington, USA
- Registered: 2005-05-02
- Posts: 995
- Website
Re: Restricting ssh over Internet to specific networks
That's a good question Solo...especially considering the deny file uses that syntax:
#
# /etc/hosts.deny
#
ALL: ALL: DENY
# End of fileHave you tested it with the "<code>: ALLOW</code>" in there and had it fail? I would think it would be fine. Perhaps it just assumes that based on the file name (<code>hosts.allow</code> versus <code>hosts.deny</code>)?
Offline
#6 2006-08-29 13:51:12
- soloport
- Member
- Registered: 2005-03-01
- Posts: 442
Re: Restricting ssh over Internet to specific networks
Red Hat hosts.allow:
sshd: 71.92.136.60: ALLOW << chg. to protect... me!
sshd: 192.168.1.: ALLOW
sshd: localhost: ALLOW
sshd: ALL: DENY
Red Hat hosts.deny:
<EMPTY>
Arch hosts.allow:
sshd: 71.92.136.60
sshd: 192.168.0.0/255.255.255.0
sshd: localhost
Arch hosts.deny:
sshd: ALL: DENY
After much messing about with Arch, the above is what finally worked -- having "borrowed" my Red Hat setup from a two-year-old box. Perhaps tpc wrapper has changed in two years? 
I just remember it working, right after I removed the ': ALLOW' text, and then I just moved on. Also remember removing the text because of an example I fond in Arch Forums.
.
Offline