Re: Restricting ssh access to internet but not to internal network

To: debian-security@lists.debian.org
Subject: Re: Restricting ssh access to internet but not to internal network
From: "Patrick" <p_rynhart@hotmail.com>
Date: 27 Nov 2005 00:44:01 -0800
Message-id: <[🔎] 1133081041.334820.137630@g14g2000cwa.googlegroups.com>
References: <[🔎] 1132899251.218574.257950@z14g2000cwz.googlegroups.com> <[🔎] 20051125134921.GA6052@mail.braingia.org>

Thanks Steve. I've just tested your solution and it's working fine. I
invoked a second instance of sshd using a different configuration file,
i.e.

ssh -f /etc/ssh/sshd_conf-internal

which binds to port 22 all allows all users to login. The (original)
file /etc/ssh/sshd_conf binds to 1022, and is exposed to the public
internet - but restricts access based on AllowGroup. The server has a
single NIC - but, as you say, it's no problem using different ports.

Thanks to the other authors who have replied.

Regards

Patrick Rynhart.

Steve Suehring wrote:

> I would likely restrict access to ssh from external, if at all possible.
> I realize that this isn't always possible but it should be possible to
> at least narrow down access to certain IP ranges.
>
> For this particular problem I'm assuming there are two NICs in the
> computer, one with an IP in private space and the other with a public
> address?  One idea is to bind two SSH daemons, one for each NIC.  Place
> no AllowGroups restriction on the internal SSH daemon.  This means
> that all users can connect internally.  On the SSH daemon bound
> externally place the AllowGroups restriction to restrict access to
> members of that group.
>
> If there's only one NIC in the computer then you could still use two SSH
> daemons, just bind them to different ports.  The internal port might be
> the standard tcp/22 whereas externally you would bind tcp/2222 or
> something.  Then firewall off the access to port 22 from externally so
> that the internal-use daemon can't be accessed.
>
> Hope that helps.  I'm sure others will have ideas too.
>
> Steve
>
>
> On Thu, Nov 24, 2005 at 10:14:11PM -0800, Patrick wrote:
> > I have an server running sshd on Sarge. I want all users to be able to
> > access the computer from within the internal network - but restrict
> > access from the internet (to users in a particular group). Can this be
> > achieved by combining the /etc/hosts.allow or /etc/hosts.deny files and
> > the AllowGroup (or AllowUsers) options in sshd configuration file.
> >
> > If so, how ?
> >
> >
> > --
> > To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
> > with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
>
> --
> To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

References:
- Restricting ssh access to internet but not to internal network
  - From: "Patrick" <p_rynhart@hotmail.com>
- Re: Restricting ssh access to internet but not to internal network
  - From: Steve Suehring <dsec@braingia.org>

Prev by Date: Re: EAC - Armored Car and SUV Specialist - Incentives for Referral
Next by Date: radvd setuid dir?
Previous by thread: Re: Restricting ssh access to internet but not to internal network
Next by thread: Re: Restricting ssh access to internet but not to internal network
Index(es):
- Date
- Thread