ip access control | sshd_config

Greetings -

While I can use AllowUsers in sshd_config to control which users with
valid accounts can access one of my boxes via ssh, I'm wondering if
there is a way to specify a list of ip addresses which are allowed to
access sshd? I've searched around a bit, but didn't find anything that
looked like what I've described.

Thanks...

In comp.os.linux.security cooch17@nospamverizon.net:
> Greetings -

> While I can use AllowUsers in sshd_config to control which users with
> valid accounts can access one of my boxes via ssh, I'm wondering if
> there is a way to specify a list of ip addresses which are allowed to
> access sshd? I've searched around a bit, but didn't find anything that
> looked like what I've described.

Use/compile a sshd version with tcp_wrapper support enabled and
try 'man 5 hosts_access' for setup.

Alternatively or/and in addition fire up iptables and allow access
to port 22 only to the system you want.

Good luck

--
Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94)
mail: echo zvpunry@urvzvat.qr | perl -pe 'y/a-z/n-za-m/'
#bofh excuse 148: Insert coin for new game

On Sat, 26 Mar 2005 00:48:51 +0100, Michael Heiming
<michael+USENET@www.heiming.de> wrote:

>In comp.os.linux.security cooch17@nospamverizon.net:
>> Greetings -
>
>> While I can use AllowUsers in sshd_config to control which users with
>> valid accounts can access one of my boxes via ssh, I'm wondering if
>> there is a way to specify a list of ip addresses which are allowed to
>> access sshd? I've searched around a bit, but didn't find anything that
>> looked like what I've described.
>
>Use/compile a sshd version with tcp_wrapper support enabled and
>try 'man 5 hosts_access' for setup.
>
>Alternatively or/and in addition fire up iptables and allow access
>to port 22 only to the system you want.
>

That does the trick - plus not allowing root access to sshd. Most of
the time, the script kiddies are trying to burrow in by guessing a
username on the system. root is about the only one you know is on any
system, so no t allowing root to access sshd minimizes that problem.

Question though -

if I restrict access to a certain ip in access.allow, then what
advantage is there in also setting up what looks to be essentially the
same thing in iptables? I'm embarassed to admit I've always puzzled
over things such as this...

Thanks...

In comp.os.linux.security cooch17@nospamverizon.net:
> On Sat, 26 Mar 2005 00:48:51 +0100, Michael Heiming
> <michael+USENET@www.heiming.de> wrote:
>>In comp.os.linux.security cooch17@nospamverizon.net:

[ restricting ssh access through tcp_wrapper or/and iptables ]

> That does the trick - plus not allowing root access to sshd.
> Most of

Yep, root access to ssh should be disabled for serious usage.

[..]

> Question though -

> if I restrict access to a certain ip in access.allow, then what
> advantage is there in also setting up what looks to be
> essentially the
> same thing in iptables? I'm embarassed to admit I've always
> puzzled
> over things such as this...

Security is like an onion, if you have at least 2 layers
tcp_wrapper and iptables, you are still secure even if one fails
for misconfiguration or whatever reason.

--
Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94)
mail: echo zvpunry@urvzvat.qr | perl -pe 'y/a-z/n-za-m/'
#bofh excuse 88: Boss' kid fucked up the machine

>
>> if I restrict access to a certain ip in access.allow, then what
>> advantage is there in also setting up what looks to be
>> essentially the
>> same thing in iptables? I'm embarassed to admit I've always
>> puzzled
>> over things such as this...
>
>Security is like an onion, if you have at least 2 layers
>tcp_wrapper and iptables, you are still secure even if one fails
>for misconfiguration or whatever reason.


Sounds like sage advice. Thanks...