How can I block IP address range with sshd_config

[Brad Smith]

Since this thread has sort of become a collection of ways by which one
can restrict access to a system, let me suggest another. If you are
interested in restricting access in general, not just via ssh, I have
the following in the config file for pam_access
(/etc/security/access.conf on FC1):

-:ALL EXCEPT remotees:ALL EXCEPT LOCAL

This deies access ("-") to any user who is not a member of the
remotees group ("ALL EXCEPT REMOTEES") only if they are accessing the
machine by a non-local means ("ALL EXCEPT LOCAL"). Local means
actually sitting in front of the machine.

You could fine-tune things to fit your needs and probably modify
/etc/pam.d/sshd to load pam_access with an sshd-specific config file
if you needed to.

...or you could use one of the other fine methods put forward. Aint
Linux grand (if a bit overwhelming at times)? =;)

Good luck,
--Brad

On Tue, 27 Jul 2004 12:56:40 -0500, Jeff Vian <jvian10 at charter.net> wrote:
> On Tue, 2004-07-27 at 11:43, Michael Sullivan wrote:
> > I've been reading over the hosts.deny man page to get some ideas, but
> > I'm unclear on how to implement them.  I know what I want to do, but I
> > don't know how to do it.  I want to allow all connections from my five
> > users, those being acsacx, amy, michael, wayne and zack, unless those
> > requests come from 211.182.241.*  These acceptable accounts will likely
> > only log in through ssh.  I want to deny 211.182.241.* unconditonally.
> > Can anyone give me an example of a hosts.allow/hosts.deny setup that
> > would do this?
> >
> 
> ALL:    211.182.241.0/255.255.255.0
> 
> (I believe there are other working syntaxes for the line as well.)
> put into the hosts.deny file would deny all access to hosts in the range
> you listed for all services that use tcp wrappers for access control.
> and would leave all other access unrestricted.
> 
> IMHO a simpler and better way would be to use a rule in iptables that
> would deny access to all hosts in that range.  It then applies to all
> connection attempts, not just those using tcp wrappers.
> 
> >
> > On Tue, 2004-07-27 at 11:12, Michael Sullivan wrote:
> > > The kiddies using their script file to try to hack into my systems
> > > through sshd using accounts guest and test tried again yesterday.  This
> > > morning I opened up the man page for sshd_config in Konquerer (the
> > > colour coding is very nice) and discovered how I could deny access
> > > through ssh from all accounts except the accounts that might use it
> > > (this excludes guest and test).  The other day I went in to each of the
> > > user accounts and modified their .bashrc file so that when they log in
> > > it asks them to change their password and boot them out.  This will work
> > > for now because for now the enemy script is only trying to inquire about
> > > the nonexistent guest and test accounts.  The IP addresses they try to
> > > log in from vary slightly, but for the most part I think the first three
> > > octets are the same.  I looked through the man page for sshd_config for
> > > a way to block their IP, but I couldn't find it.  Does anyone here know
> > > how to do this?
> > 
> The AllowUsers option in the /etc/ssh/sshd_config file can be used to
> explicitly specify a list of those users who can use ssh, (If used, NO
> other users can connect with ssh.)  You also can specify connection with
> a key and a passphrase if you wish to better control authorized access.
> 
> man sshd_config is your friend, as well as reading the comments in the
> default /etc/ssh/sshd_config file.
> 
> 
> 
> 
> --
> fedora-list mailing list
> fedora-list at redhat.com
> To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
>