[TriLUG] Limit ssh access
Donald Ball
balld at webslingerZ.com
Tue Jan 22 15:10:38 EST 2002
On Tue, 22 Jan 2002, Kevin Hunter wrote:
> I'm seeing a lot of conflicting tips on the net on how to limit who
> can ssh into my linux ( RH 7.2 ) box. Maybe it's my general level of
> inexperience, but there doesn't seem t/b a consensus on this. I've
> read that I should use tcp_wrapper, and that I cannot use tcp_wrapper
> ( I start sshd through a rc.d script, not from inetd/xinetd ). I've
> seen reference to use "AllowGroups/AllowUsers" in the sshd_config
> file and I've seen comments that you can't use this w/ any version of
> openssh after 1.2 ( I have openssh 2.9p2-7 ).
for maximum security, i'd limit access at several layers:
* use an external firewall to limit access to port 22
* use iptables to limit access to port 22 at the kernel layer
* use tcp wrappers to limit access to sshd
* use sshd's own configuration file to limit access
in your situation, if this is for work and you know which machines are
going to be allowed to connect, i might also turn off automatic discovery
of host keys and manually initialize the host key database with the keys
of the trusted hosts.
- donald
More information about the TriLUG
mailing list