Solved

Allow access to SSH for certain IPs

Posted on 2012-04-04
6
636 Views
Last Modified: 2012-04-22
Hi,

what is the best way to deny access to ssh for every body except certain IPs. Looking for a way that's the easiest to configure, like editing a single file

Can I use iptables and put all IPs in a file? or hosts.allow? How do I deny access for every body?
0
Comment
Question by:Dennie
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 11

Expert Comment

by:legolasthehansy
ID: 37806614
On /etc/hosts.deny

sshd: ALL EXCEPT 192.168.0.2

The above denies all except 192.168.0.2. You don't need a restart as the settings are read once you save the file.
0
 

Author Comment

by:Dennie
ID: 37806791
what if I want to add 5 more IPs?
0
 
LVL 11

Accepted Solution

by:
legolasthehansy earned 167 total points
ID: 37806956
sshd: ALL EXCEPT 192.168.0.2, 192.168.0.3, 192.168.0.4 etc..

Or

sshd: ALL EXCEPT 192.168.0.1/255.255.255.0
to exclude the 192.168.0.1 network
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 5

Assisted Solution

by:1ly4me
1ly4me earned 167 total points
ID: 37807229
For TCP wrappers,
/etc/hosts.deny
sshd : all except 192.168.0.0/24

This will only allow network 192.168.0.0 to access SSH

For IPtables.
#iptables -I INPUT -p tcp ! -s 192.168.0.0/24 --dport=22 -j REJECT
0
 
LVL 3

Expert Comment

by:rickygm
ID: 37828164
Hi, I make by means of firewall or iptables

in shorewall like this

ACCEPT          net:XXX.XXX.XXX.XXX   $FW                   tcp     ssh

iptables other example

iptables -A INPUT -p tcp -s 192.168.0.0/24 --dport 22 -j ACCEPT

http://wiki.centos.org/HowTos/Network/IPTables

regardss
0
 
LVL 4

Assisted Solution

by:senseifedon
senseifedon earned 166 total points
ID: 37846025
Hi;
iptables -I INPUT -p tcp --dport 22 -s 123.123.123.123 -j ACCEPT
iptables -I INPUT -p tcp --dport 22 -j DROP

Open in new window


123.123.123.123 should been your exception ip.

Good luck. Or you can use fail2ban. It's allow you to ban ip address after some (you can arrange value) unauthorized tries.
0

Featured Post

[Webinar] Code, Load, and Grow

Managing multiple websites, servers, applications, and security on a daily basis? Join us for a webinar on May 25th to learn how to simplify administration and management of virtual hosts for IT admins, create a secure environment, and deploy code more effectively and frequently.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
rDNS on single IP and multiple domains 11 77
unix shell script 4 39
leap year shell script 10 50
Linux: using  awk and print inside cURL 4 48
Introduction We as admins face situation where we need to redirect websites to another. This may be required as a part of an upgrade keeping the old URL but website should be served from new URL. This document would brief you on different ways ca…
Fine Tune your automatic Updates for Ubuntu / Debian
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial

732 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question