Re: Disabling access to SSH

To: Debian User Mailing List <debian-user@lists.debian.org>
Subject: Re: Disabling access to SSH
From: Ivan Teliatnikov <ivan@geosci.usyd.edu.au>
Date: Mon, 22 Nov 2004 10:03:46 +1100
Message-id: <[🔎] 1101078225.2281.39.camel@cobalt.es.usyd.edu.au>

There are several approaches:

1) Use  tcpd - access control facility for internet services

Configure your /etc/hosts.allow and /etc/hosts.deny as follows:

Add to /etc/hosts.allow
# Services that can be contacted externally.
sshd:  IP-host1/255.255.255.0 IP-host2/255.255.255.0 
172.16.145.0/255.255.255.0 - the local subnet

Add to /etc/hosts.deny
# Deny everything unless allowed by /etc/hosts.allow
ALL : ALL@ALL, PARANOID

man 3 hosts_access -  functions provided by the libwrap library.
man 5 hosts_access - format of the tcpd access control tables.
man 5 syslog.conf -  format of the syslogd control file.
man 5 inetd.conf -  format of the inetd control file.

2) One can also disable external machine using PAM ( Portable
Authentication Module 
ACL for OpenSSH? server.
     1. Create /etc/sshd.acl that includes a list of users who are
        allowed to access to the machine. 
        
     2. Make /etc/sshd.acl readable by user root only. 
        
        # chmod 660 /etc/sshd.acl
        
     3. Add the following line to /etc/pam.d/ssh (for Debian Gnu/Linux)
        or /etc/pam.d/sshd (for Redhat Linux) 
        
        # make sure that it one line
        # auth required /lib/security/pam_listfile.so file=/etc/sshd.acl
        item=user sense=allow onerr=fail

Regards

Reply to:

Prev by Date: Re: Cups in sarge stops a lot.. maybe lprng better
Next by Date: Problem with CUPS: need to enter password for lp and lpq several times
Previous by thread: Re: Disabling access to SSH
Next by thread: Problems while sharing the net
Index(es):
- Date
- Thread