Solved

Allow access to SSH for certain IPs

Posted on 2012-04-04
6
629 Views
Last Modified: 2012-04-22
Hi,

what is the best way to deny access to ssh for every body except certain IPs. Looking for a way that's the easiest to configure, like editing a single file

Can I use iptables and put all IPs in a file? or hosts.allow? How do I deny access for every body?
0
Comment
Question by:Dennie
6 Comments
 
LVL 11

Expert Comment

by:legolasthehansy
ID: 37806614
On /etc/hosts.deny

sshd: ALL EXCEPT 192.168.0.2

The above denies all except 192.168.0.2. You don't need a restart as the settings are read once you save the file.
0
 

Author Comment

by:Dennie
ID: 37806791
what if I want to add 5 more IPs?
0
 
LVL 11

Accepted Solution

by:
legolasthehansy earned 167 total points
ID: 37806956
sshd: ALL EXCEPT 192.168.0.2, 192.168.0.3, 192.168.0.4 etc..

Or

sshd: ALL EXCEPT 192.168.0.1/255.255.255.0
to exclude the 192.168.0.1 network
0
Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 5

Assisted Solution

by:1ly4me
1ly4me earned 167 total points
ID: 37807229
For TCP wrappers,
/etc/hosts.deny
sshd : all except 192.168.0.0/24

This will only allow network 192.168.0.0 to access SSH

For IPtables.
#iptables -I INPUT -p tcp ! -s 192.168.0.0/24 --dport=22 -j REJECT
0
 
LVL 3

Expert Comment

by:rickygm
ID: 37828164
Hi, I make by means of firewall or iptables

in shorewall like this

ACCEPT          net:XXX.XXX.XXX.XXX   $FW                   tcp     ssh

iptables other example

iptables -A INPUT -p tcp -s 192.168.0.0/24 --dport 22 -j ACCEPT

http://wiki.centos.org/HowTos/Network/IPTables

regardss
0
 
LVL 4

Assisted Solution

by:senseifedon
senseifedon earned 166 total points
ID: 37846025
Hi;
iptables -I INPUT -p tcp --dport 22 -s 123.123.123.123 -j ACCEPT
iptables -I INPUT -p tcp --dport 22 -j DROP

Open in new window


123.123.123.123 should been your exception ip.

Good luck. Or you can use fail2ban. It's allow you to ban ip address after some (you can arrange value) unauthorized tries.
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
reserve ip address for mac address in ubuntu dhcp server 2 72
Linux : taking backup different mount points under the same directory 8 68
Linux VM 6 88
android secure ftp 3 38
If you use Debian 6 Squeeze and you are tired of looking at the childish graphical GDM login screen that is used by default, here's an easy way to change it. If you've already tried to change it you've probably discovered that none of the old met…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question