How can I block IP address range with sshd_config
Brad Smith
usernamenumber at gmail.com
Tue Jul 27 21:13:28 UTC 2004
Since this thread has sort of become a collection of ways by which one
can restrict access to a system, let me suggest another. If you are
interested in restricting access in general, not just via ssh, I have
the following in the config file for pam_access
(/etc/security/access.conf on FC1):
-:ALL EXCEPT remotees:ALL EXCEPT LOCAL
This deies access ("-") to any user who is not a member of the
remotees group ("ALL EXCEPT REMOTEES") only if they are accessing the
machine by a non-local means ("ALL EXCEPT LOCAL"). Local means
actually sitting in front of the machine.
You could fine-tune things to fit your needs and probably modify
/etc/pam.d/sshd to load pam_access with an sshd-specific config file
if you needed to.
...or you could use one of the other fine methods put forward. Aint
Linux grand (if a bit overwhelming at times)? =;)
Good luck,
--Brad
On Tue, 27 Jul 2004 12:56:40 -0500, Jeff Vian <jvian10 at charter.net> wrote:
> On Tue, 2004-07-27 at 11:43, Michael Sullivan wrote:
> > I've been reading over the hosts.deny man page to get some ideas, but
> > I'm unclear on how to implement them. I know what I want to do, but I
> > don't know how to do it. I want to allow all connections from my five
> > users, those being acsacx, amy, michael, wayne and zack, unless those
> > requests come from 211.182.241.* These acceptable accounts will likely
> > only log in through ssh. I want to deny 211.182.241.* unconditonally.
> > Can anyone give me an example of a hosts.allow/hosts.deny setup that
> > would do this?
> >
>
> ALL: 211.182.241.0/255.255.255.0
>
> (I believe there are other working syntaxes for the line as well.)
> put into the hosts.deny file would deny all access to hosts in the range
> you listed for all services that use tcp wrappers for access control.
> and would leave all other access unrestricted.
>
> IMHO a simpler and better way would be to use a rule in iptables that
> would deny access to all hosts in that range. It then applies to all
> connection attempts, not just those using tcp wrappers.
>
> >
> > On Tue, 2004-07-27 at 11:12, Michael Sullivan wrote:
> > > The kiddies using their script file to try to hack into my systems
> > > through sshd using accounts guest and test tried again yesterday. This
> > > morning I opened up the man page for sshd_config in Konquerer (the
> > > colour coding is very nice) and discovered how I could deny access
> > > through ssh from all accounts except the accounts that might use it
> > > (this excludes guest and test). The other day I went in to each of the
> > > user accounts and modified their .bashrc file so that when they log in
> > > it asks them to change their password and boot them out. This will work
> > > for now because for now the enemy script is only trying to inquire about
> > > the nonexistent guest and test accounts. The IP addresses they try to
> > > log in from vary slightly, but for the most part I think the first three
> > > octets are the same. I looked through the man page for sshd_config for
> > > a way to block their IP, but I couldn't find it. Does anyone here know
> > > how to do this?
> >
> The AllowUsers option in the /etc/ssh/sshd_config file can be used to
> explicitly specify a list of those users who can use ssh, (If used, NO
> other users can connect with ssh.) You also can specify connection with
> a key and a passphrase if you wish to better control authorized access.
>
> man sshd_config is your friend, as well as reading the comments in the
> default /etc/ssh/sshd_config file.
>
>
>
>
> --
> fedora-list mailing list
> fedora-list at redhat.com
> To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
>
More information about the fedora-list
mailing list