I have 2 Netgear NASes. One is rsyncing its backup to the other. I need to restrict ip access at the destination to only allow the one at the source. It is using port 22.
I've never seen that format. With no hosts.deny, hosts.allow typically serves no purpose. I believe you want hosts.allow as
ALL: 71.xxx.xxx.x, 108.xx.xx.xx
and hosts.deny as:
ALL: ALL
But that doesn't give access to whatever local computer you are using to administer the NAS, asssuming you need one. On the other hand, I don't know if those affect the GUI or ReadyNAS Remote. Putting it's own public address on the access list also doesn't really make sense. Are the NASes really at those addresses, or are you port forwarding to them? If you are port forwarding, then you need to include the local LAN address of the local computer for admin, not the public one; maybe allowing all .local addresses. If all admin is (and always will be) done remotely, then you only need the remote public IP on the list.
This all does require that you have static IP addresses.
You might want to look here at a pretty good explanation:
You might consider deploying ZeroTier, which would allow you to make the rsync-over-ssh connection without forwarding any ports in your router. You would have to trust ZeroTier's security, but you could still use the access controls in the NAS to restrict IP access to the zerotier IP addresses.
If these are OS-6 NAS you should also make sure that the ssh connection is limited to a user account that doesn't have shell access. See using a remote host here: https://kb.netgear.com/29929/ReadyNAS-OS-6-Setting-up-a-backup-job-with-rsync-over-SSH
I got those hosts.allow settings from a website. I believe either will work.
I can change it to your suggestion and see if it works.
This effort is to secure the NASes against vulnerabilities in protocol 1 of openssh.
I tried Zerotier but had no luck in making it work.
The rsync has been working without fail for several months now, so if this can be secured then it would seem to be ok.
I hope it is ok to also include openssh questions in this discussion.
When I run rpm -qi openssh it says openssh is not installed.
But then when I run dpkg -l | grep -i openssh I get:
ii openssh-client 1:6.7p1-5+deb8u3.netgear1 amd64 secure shell (SSH) client, for secure access to remote machines ii openssh-server 1:6.7p1-5+deb8u3.netgear1 amd64 secure shell (SSH) server, for secure access from remote machines ii openssh-sftp-server 1:6.7p1-5+deb8u3.netgear1 amd64 secure shell (SSH) sftp server module, for SFTP access from remote machines
It seems to be there.
But then I run apt-get changelog ssh |grep -i cve I get
E: Failed to fetch changelog:/openssh.changelog Changelog unavailable for openssh=1:6.7p1-5+deb8u3.netgear1
It seems to not be there.
But then the person comfirming I am in PCI compliance says I am running
