Re: Restricting ssh access to internet but not to internal network
Thanks Steve. I've just tested your solution and it's working fine. I
invoked a second instance of sshd using a different configuration file,
i.e.
ssh -f /etc/ssh/sshd_conf-internal
which binds to port 22 all allows all users to login. The (original)
file /etc/ssh/sshd_conf binds to 1022, and is exposed to the public
internet - but restricts access based on AllowGroup. The server has a
single NIC - but, as you say, it's no problem using different ports.
Thanks to the other authors who have replied.
Regards
Patrick Rynhart.
Steve Suehring wrote:
> I would likely restrict access to ssh from external, if at all possible.
> I realize that this isn't always possible but it should be possible to
> at least narrow down access to certain IP ranges.
>
> For this particular problem I'm assuming there are two NICs in the
> computer, one with an IP in private space and the other with a public
> address? One idea is to bind two SSH daemons, one for each NIC. Place
> no AllowGroups restriction on the internal SSH daemon. This means
> that all users can connect internally. On the SSH daemon bound
> externally place the AllowGroups restriction to restrict access to
> members of that group.
>
> If there's only one NIC in the computer then you could still use two SSH
> daemons, just bind them to different ports. The internal port might be
> the standard tcp/22 whereas externally you would bind tcp/2222 or
> something. Then firewall off the access to port 22 from externally so
> that the internal-use daemon can't be accessed.
>
> Hope that helps. I'm sure others will have ideas too.
>
> Steve
>
>
> On Thu, Nov 24, 2005 at 10:14:11PM -0800, Patrick wrote:
> > I have an server running sshd on Sarge. I want all users to be able to
> > access the computer from within the internal network - but restrict
> > access from the internet (to users in a particular group). Can this be
> > achieved by combining the /etc/hosts.allow or /etc/hosts.deny files and
> > the AllowGroup (or AllowUsers) options in sshd configuration file.
> >
> > If so, how ?
> >
> >
> > --
> > To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
> > with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
>
> --
> To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: