?
Solved

Allow access to SSH for certain IPs

Posted on 2012-04-04
6
Medium Priority
?
639 Views
Last Modified: 2012-04-22
Hi,

what is the best way to deny access to ssh for every body except certain IPs. Looking for a way that's the easiest to configure, like editing a single file

Can I use iptables and put all IPs in a file? or hosts.allow? How do I deny access for every body?
0
Comment
Question by:Dennie
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 11

Expert Comment

by:legolasthehansy
ID: 37806614
On /etc/hosts.deny

sshd: ALL EXCEPT 192.168.0.2

The above denies all except 192.168.0.2. You don't need a restart as the settings are read once you save the file.
0
 

Author Comment

by:Dennie
ID: 37806791
what if I want to add 5 more IPs?
0
 
LVL 11

Accepted Solution

by:
legolasthehansy earned 668 total points
ID: 37806956
sshd: ALL EXCEPT 192.168.0.2, 192.168.0.3, 192.168.0.4 etc..

Or

sshd: ALL EXCEPT 192.168.0.1/255.255.255.0
to exclude the 192.168.0.1 network
0
Learn Veeam advantages over legacy backup

Every day, more and more legacy backup customers switch to Veeam. Technologies designed for the client-server era cannot restore any IT service running in the hybrid cloud within seconds. Learn top Veeam advantages over legacy backup and get Veeam for the price of your renewal

 
LVL 5

Assisted Solution

by:1ly4me
1ly4me earned 668 total points
ID: 37807229
For TCP wrappers,
/etc/hosts.deny
sshd : all except 192.168.0.0/24

This will only allow network 192.168.0.0 to access SSH

For IPtables.
#iptables -I INPUT -p tcp ! -s 192.168.0.0/24 --dport=22 -j REJECT
0
 
LVL 3

Expert Comment

by:rickygm
ID: 37828164
Hi, I make by means of firewall or iptables

in shorewall like this

ACCEPT          net:XXX.XXX.XXX.XXX   $FW                   tcp     ssh

iptables other example

iptables -A INPUT -p tcp -s 192.168.0.0/24 --dport 22 -j ACCEPT

http://wiki.centos.org/HowTos/Network/IPTables

regardss
0
 
LVL 4

Assisted Solution

by:senseifedon
senseifedon earned 664 total points
ID: 37846025
Hi;
iptables -I INPUT -p tcp --dport 22 -s 123.123.123.123 -j ACCEPT
iptables -I INPUT -p tcp --dport 22 -j DROP

Open in new window


123.123.123.123 should been your exception ip.

Good luck. Or you can use fail2ban. It's allow you to ban ip address after some (you can arrange value) unauthorized tries.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It’s 2016. Password authentication should be dead — or at least close to dying. But, unfortunately, it has not traversed Quagga stage yet. Using password authentication is like laundering hotel guest linens with a washboard — it’s Passé.
In the first part of this tutorial we will cover the prerequisites for installing SQL Server vNext on Linux.
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.
Suggested Courses

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question