HPE Community
Operating System - HP-UX
1834379 Members
2351 Online
110066 Solutions
New Discussion

Re: Restricting IPs with ssh

 
Vinesh Dhevcharran_1
Advisor

‎12-02-2003 10:35 PM

‎12-02-2003 10:35 PM

Restricting IPs with ssh

Hi,

In an attempt to tighten up our security, I have installed ssh and allowed telnet only from specific ips (inetd.sec)

Can I restrict IP addresses for ssh as I have done for telnet?
0 Kudos
Reply
8 REPLIES 8
Mark Grant
Honored Contributor

‎12-02-2003 10:40 PM

‎12-02-2003 10:40 PM

Re: Restricting IPs with ssh

There should be an entire sshd configuration file in /etc in which you can do this. However, if your sshd is started from inetd, then you can use inetd.sec instead if you prefer.
Never preceed any demonstration with anything more predictive than "watch this"
0 Kudos
Reply
Fabio Ettore
Honored Contributor

‎12-02-2003 10:45 PM

‎12-02-2003 10:45 PM

Re: Restricting IPs with ssh

Hi,

you can restrict IP (and more) into /etc/hosts.allow and /etc/hosts.deny.
Past from a doc in knowledge base:

First configure /etc/hosts.deny as follows:

sshd : ALL

Next configure /etc/hosts.allow as follows:

sshd : rhino.rose.hp.com
sshd : 192.168.20.0/255.255.248.0

You can use IP ranges, hostnames or network numbers in these files.

I hope this helps you.

Best regards,
Ettore
WISH? IMPROVEMENT!
0 Kudos
Reply
Vinesh Dhevcharran_1
Advisor

‎12-02-2003 11:10 PM

‎12-02-2003 11:10 PM

Re: Restricting IPs with ssh

Hi,

Mark, thanks for the response. I tried inetd.sec first, but this requires a service name e.g. telnet (one that exists in the /etc/services file) and ssh does not exist in this file. Therefore I cannot use inetd.sec to restrict IPs for ssh. Or am I wrong?

I tried the hosts.allow and it works. Many thanks. Can I use IP ranges & wildcards here?
0 Kudos
Reply
Fabio Ettore
Honored Contributor

‎12-02-2003 11:55 PM

‎12-02-2003 11:55 PM

Re: Restricting IPs with ssh

Yes Vinesh,

you can use IP ranges, hostnames or network numbers in these files.

Best regards,
Ettore
WISH? IMPROVEMENT!
0 Kudos
Reply
Vinesh Dhevcharran_1
Advisor

‎12-03-2003 12:53 AM

‎12-03-2003 12:53 AM

Re: Restricting IPs with ssh

Hi Ettore,

Terribly sorry to but...

I tried using a range as I do in inetd.sec e.g 123.456.789.111-115 but this does not work in hosts.allow. I did a man on hosts.allow and I got no info. My search on ITRC also proved futile in this reguard.
If I need to use a range what would the syntax be?
0 Kudos
Reply
Todd McDaniel_1
Honored Contributor

‎12-03-2003 03:04 AM

‎12-03-2003 03:04 AM

Re: Restricting IPs with ssh

Vinesh,

here is a document I found on the internet.

http://ezine.daemonnews.org/200206/hosts_allow.html

This syntax works in hosts.allow

sshd : all : banners=/usr/localcw/opt/sysguard/banners : allow


but you also need to have a line denying all access in hosts.deny...

I would also suggest adding these lines to hosts.allow as well....


ftpd : all : banners=/usr/localcw/opt/sysguard/banners : allow
telnetd : all : banners=/usr/localcw/opt/sysguard/banners : allow
tftpd : all : banners=/usr/localcw/opt/sysguard/banners : allow
logind : all : banners=/usr/localcw/opt/sysguard/banners : allow
rlogind : all : banners=/usr/localcw/opt/sysguard/banners : allow
remshd: all : banners=/usr/localcw/opt/sysguard/banners : allow
rexecd : all : banners=/usr/localcw/opt/sysguard/banners : allow
Unix, the other white meat.
0 Kudos
Reply
Todd McDaniel_1
Honored Contributor

‎12-03-2003 03:09 AM

‎12-03-2003 03:09 AM

Re: Restricting IPs with ssh

no points here i hit enter too soon.


About half way down that link it shows syntax for the sshd as follows:

ssh : 10.0.3. : allow
ssh : localhost : allow
ssh : ALL : deny


Here are some options for the 2nd field..

Wild Cards: Wild card options that can be used are:
---ALL: All clients regardless of IP address or domain name.

---PARANOID: Clients that have hostnames that don't match its ident/domain lookup names. This does not apply to machines that do not have any reverse domain lookup names.

---LOCAL: A client that comes from the same machine or domain as the host.

---UNKNOWN: A client that cannot be resolved to anything known.

---KNOWN: A client who's name and addresses can be resolved.
Unix, the other white meat.
0 Kudos
Reply
Fabio Ettore
Honored Contributor

‎12-03-2003 09:30 PM

‎12-03-2003 09:30 PM

Re: Restricting IPs with ssh

Hi Vinesh,

I hope that Todd's links help you, there are described wildcard possibilities on /etc/hosts.allow and /etc/hosts.deny.

Best regards,
Ettore
WISH? IMPROVEMENT!
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.