NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
SSH restricted access based on IP
Hi,
Since my router firewall isn't working properly I'm wondering right now what would be best method to restrict SSH access based on IP address.
Right now I have one user who is authenticating with key and then I can su - root.
As far as I know there are two options:
1. In sshd_conf I can add line
but can it be like user@192.168.1.x ? If I need to add more then one network should it be user@network1 network2 or user@network1 user@network2?
2.Or in host.allow
host.deny
If I've allowed something in host.allow do I need to specify host.deny or anything that isn't specified in host.allow will be discharged by default?
Which of two is better, or it doesn't really matters?
Thanks in advance ! :)
Since my router firewall isn't working properly I'm wondering right now what would be best method to restrict SSH access based on IP address.
Right now I have one user who is authenticating with key and then I can su - root.
As far as I know there are two options:
1. In sshd_conf I can add line
AllowUsers user1 user2 user3 etc
but can it be like user@192.168.1.x ? If I need to add more then one network should it be user@network1 network2 or user@network1 user@network2?
2.Or in host.allow
sshd,sshdfwd-X11: 192.168.4. 1.1.1.x.
host.deny
sshd,sshdfwd-X11:ALL
If I've allowed something in host.allow do I need to specify host.deny or anything that isn't specified in host.allow will be discharged by default?
Which of two is better, or it doesn't really matters?
Thanks in advance ! :)
2 Replies
Replies have been turned off for this discussion
- Couldn't you use iptables also ?
I have not tried it but it appears to be on the NAS.
nas-xxxxxxx:~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
If your router firewall is not working right you probably dont want internet users getting to your NAS at all ?? - I would go for the hosts.allow/hosts.deny approach for it is the easiest to remove again later and it works like a charm. As to your question (emphasis by me):
ACCESS CONTROL FILES
The access control software consults two files. The search stops at the first match:
o Access will be granted when a (daemon,client) pair matches an entry in the /etc/hosts.allow file.
o Otherwise, access will be denied when a (daemon,client) pair matches an entry in the
/etc/hosts.deny file.
o Otherwise, access will be granted.
A non-existing access control file is treated as if it were an empty file. Thus, access control can be
turned off by providing no access control files.
So your example would work, you may want to change the "ALL" into "PARANOID" in the hosts.deny for added security ;)
-Stefan
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
