HPE Community
Operating System - HP-UX
1822147 Members
4110 Online
109640 Solutions
New Discussion юеВ

SSH access limitation ( IP address )

 
SOLVED
Go to solution
Roro_2
Regular Advisor

тАО04-08-2008 01:39 AM

тАО04-08-2008 01:39 AM

SSH access limitation ( IP address )

Hi,

I am willing to limit the access of ssh on HPUX 11i server to some IP addresses .
I tried to set " listen address " option in sshd_config file , but i did not work.
Please could someone help me.

Roger
0 Kudos
Reply
12 REPLIES 12
Ivan Krastev
Honored Contributor

тАО04-08-2008 01:47 AM

тАО04-08-2008 01:47 AM

Solution

Re: SSH access limitation ( IP address )

ListenAddress is for ssh daemon if you have more than one IP on the server.

For restrictions use Allow/Deny Groups or use IPFilter to restrict by IP.

See documentation about sshd_config options - http://docs.hp.com/en/T1471-90015/ch01s14.html

and IPFilter admin guide - http://docs.hp.com/en/B9901-90014/index.html


regards,
ivan
Reply
Steven E. Protter
Exalted Contributor

тАО04-08-2008 01:54 AM

тАО04-08-2008 01:54 AM

Re: SSH access limitation ( IP address )

Shalom Roger,

tcpwrapper from http://software.hp.com can be used to limit ssh access by ip address or hostname.

It is somewhat easier to use than IPFilter which is also a very good solution.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Roro_2
Regular Advisor

тАО04-08-2008 03:24 AM

тАО04-08-2008 03:24 AM

Re: SSH access limitation ( IP address )

Hi Ivan,

Where can i find Allow/Deny groups


Roger
0 Kudos
Reply
Jeeshan
Honored Contributor

тАО04-08-2008 03:35 AM

тАО04-08-2008 03:35 AM

Re: SSH access limitation ( IP address )

you can use /var/adm/inetd.sec to allow or deny for specific services with ip address
a warrior never quits
0 Kudos
Reply
Ivan Krastev
Honored Contributor

тАО04-08-2008 03:38 AM

тАО04-08-2008 03:38 AM

Re: SSH access limitation ( IP address )

Roro:

In file /etc/opt/ssh/sshd_config

After any change restart ssh daemon.


regards,
ivan
0 Kudos
Reply
Roro_2
Regular Advisor

тАО04-08-2008 03:42 AM

тАО04-08-2008 03:42 AM

Re: SSH access limitation ( IP address )

Hi Ivan,

I did not find "Allow/Deny Groups" option in sshd_config.

Roger
0 Kudos
Reply
Ivan Krastev
Honored Contributor

тАО04-08-2008 03:49 AM

тАО04-08-2008 03:49 AM

Re: SSH access limitation ( IP address )

In the link above there are configuration items and explanation - http://docs.hp.com/en/T1471-90015/ch01s14.html

For example use :
AllowGroups sshusers

where sshusers is a system group.

regards,
ivan
0 Kudos
Reply
vinodan
Advisor

тАО04-10-2008 06:03 AM

тАО04-10-2008 06:03 AM

Re: SSH access limitation ( IP address )

Dear Roro,

If you want to limit certain Ips then you can /etc/hosts.allow and /etc/hosts.deny files .Put a + in /etc/hosts.deny which will
deny all IP addresses . Then mention the IPs which you want to allow in hosts.allow .

Vinod
0 Kudos
Reply
boomer_2
Super Advisor

тАО07-03-2008 09:32 PM

тАО07-03-2008 09:32 PM

Re: SSH access limitation ( IP address )

hi Steven,
I couldnt find the tcp wrapper on hp's site...for 11i v2....

Only for tru64 its mentioned...
0 Kudos
Reply
boomer_2
Super Advisor

тАО07-03-2008 09:35 PM

тАО07-03-2008 09:35 PM

Re: SSH access limitation ( IP address )

hi vinod,
for me smehow /etc/hosts.allow and /etc/hosts.deny doesnt wrk ....

Can u be a more specific as to whether ne other entry elcewhere is to be made..........????
0 Kudos
Reply
Dennis Handly
Acclaimed Contributor

тАО07-04-2008 11:47 AM

тАО07-04-2008 11:47 AM

Re: SSH access limitation ( IP address )

>boomer: I couldn't find the tcp wrapper

Instead of asking questions in an old thread you should create your own and possibly add a link to the old one, if it provides details.
That way you can award points for helpful answers.
0 Kudos
Reply
boomer_2
Super Advisor

тАО07-06-2008 04:29 AM

тАО07-06-2008 04:29 AM

Re: SSH access limitation ( IP address )

hi Dennis,
u r absltly rite.....
to be frank for a moment, thought it was my thread ..since i too had raised d same questn..sorry again.....
will definitely award u points if u answer my question :-) posted in this forum with subject being "How to block specific ip's access to my prodn server..."
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.