topic Re: Restricting IPs with ssh in Operating System - HP-UX

Restricting IPs with ssh

Vinesh Dhevcharran_1 — Wed, 03 Dec 2003 06:35:46 GMT

Hi,

In an attempt to tighten up our security, I have installed ssh and allowed telnet only from specific ips (inetd.sec)

Can I restrict IP addresses for ssh as I have done for telnet?

Re: Restricting IPs with ssh

Mark Grant — Wed, 03 Dec 2003 06:40:16 GMT

There should be an entire sshd configuration file in /etc in which you can do this. However, if your sshd is started from inetd, then you can use inetd.sec instead if you prefer.

Re: Restricting IPs with ssh

Fabio Ettore — Wed, 03 Dec 2003 06:45:13 GMT

Hi,

you can restrict IP (and more) into /etc/hosts.allow and /etc/hosts.deny.
Past from a doc in knowledge base:

First configure /etc/hosts.deny as follows:

sshd : ALL

Next configure /etc/hosts.allow as follows:

sshd : rhino.rose.hp.com
sshd : 192.168.20.0/255.255.248.0

You can use IP ranges, hostnames or network numbers in these files.

I hope this helps you.

Best regards,
Ettore

Re: Restricting IPs with ssh

Vinesh Dhevcharran_1 — Wed, 03 Dec 2003 07:10:39 GMT

Hi,

Mark, thanks for the response. I tried inetd.sec first, but this requires a service name e.g. telnet (one that exists in the /etc/services file) and ssh does not exist in this file. Therefore I cannot use inetd.sec to restrict IPs for ssh. Or am I wrong?

I tried the hosts.allow and it works. Many thanks. Can I use IP ranges & wildcards here?

Re: Restricting IPs with ssh

Fabio Ettore — Wed, 03 Dec 2003 07:55:52 GMT

Yes Vinesh,

you can use IP ranges, hostnames or network numbers in these files.

Best regards,
Ettore

Re: Restricting IPs with ssh

Vinesh Dhevcharran_1 — Wed, 03 Dec 2003 08:53:29 GMT

Hi Ettore,

Terribly sorry to but...

I tried using a range as I do in inetd.sec e.g 123.456.789.111-115 but this does not work in hosts.allow. I did a man on hosts.allow and I got no info. My search on ITRC also proved futile in this reguard.
If I need to use a range what would the syntax be?

Re: Restricting IPs with ssh

Todd McDaniel_1 — Wed, 03 Dec 2003 11:04:40 GMT

Vinesh,

here is a document I found on the internet.

http://ezine.daemonnews.org/200206/hosts_allow.html

This syntax works in hosts.allow

sshd : all : banners=/usr/localcw/opt/sysguard/banners : allow

but you also need to have a line denying all access in hosts.deny...

I would also suggest adding these lines to hosts.allow as well....

ftpd : all : banners=/usr/localcw/opt/sysguard/banners : allow
telnetd : all : banners=/usr/localcw/opt/sysguard/banners : allow
tftpd : all : banners=/usr/localcw/opt/sysguard/banners : allow
logind : all : banners=/usr/localcw/opt/sysguard/banners : allow
rlogind : all : banners=/usr/localcw/opt/sysguard/banners : allow
remshd: all : banners=/usr/localcw/opt/sysguard/banners : allow
rexecd : all : banners=/usr/localcw/opt/sysguard/banners : allow

Re: Restricting IPs with ssh

Todd McDaniel_1 — Wed, 03 Dec 2003 11:09:03 GMT

no points here i hit enter too soon.

About half way down that link it shows syntax for the sshd as follows:

ssh : 10.0.3. : allow
ssh : localhost : allow
ssh : ALL : deny

Here are some options for the 2nd field..

Wild Cards: Wild card options that can be used are:
---ALL: All clients regardless of IP address or domain name.

---PARANOID: Clients that have hostnames that don't match its ident/domain lookup names. This does not apply to machines that do not have any reverse domain lookup names.

---LOCAL: A client that comes from the same machine or domain as the host.

---UNKNOWN: A client that cannot be resolved to anything known.

---KNOWN: A client who's name and addresses can be resolved.

Re: Restricting IPs with ssh

Fabio Ettore — Thu, 04 Dec 2003 05:30:26 GMT

Hi Vinesh,

I hope that Todd's links help you, there are described wildcard possibilities on /etc/hosts.allow and /etc/hosts.deny.

Best regards,
Ettore