[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Restricting ssh access to internet but not to internal network



Thanks Steve. I've just tested your solution and it's working fine. I
invoked a second instance of sshd using a different configuration file,
i.e.

ssh -f /etc/ssh/sshd_conf-internal

which binds to port 22 all allows all users to login. The (original)
file /etc/ssh/sshd_conf binds to 1022, and is exposed to the public
internet - but restricts access based on AllowGroup. The server has a
single NIC - but, as you say, it's no problem using different ports.

Thanks to the other authors who have replied.

Regards

Patrick Rynhart.

Steve Suehring wrote:

> I would likely restrict access to ssh from external, if at all possible.
> I realize that this isn't always possible but it should be possible to
> at least narrow down access to certain IP ranges.
>
> For this particular problem I'm assuming there are two NICs in the
> computer, one with an IP in private space and the other with a public
> address?  One idea is to bind two SSH daemons, one for each NIC.  Place
> no AllowGroups restriction on the internal SSH daemon.  This means
> that all users can connect internally.  On the SSH daemon bound
> externally place the AllowGroups restriction to restrict access to
> members of that group.
>
> If there's only one NIC in the computer then you could still use two SSH
> daemons, just bind them to different ports.  The internal port might be
> the standard tcp/22 whereas externally you would bind tcp/2222 or
> something.  Then firewall off the access to port 22 from externally so
> that the internal-use daemon can't be accessed.
>
> Hope that helps.  I'm sure others will have ideas too.
>
> Steve
>
>
> On Thu, Nov 24, 2005 at 10:14:11PM -0800, Patrick wrote:
> > I have an server running sshd on Sarge. I want all users to be able to
> > access the computer from within the internal network - but restrict
> > access from the internet (to users in a particular group). Can this be
> > achieved by combining the /etc/hosts.allow or /etc/hosts.deny files and
> > the AllowGroup (or AllowUsers) options in sshd configuration file.
> >
> > If so, how ?
> >
> >
> > --
> > To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
> > with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
>
> --
> To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org



Reply to: