Re: SSH/SSHD local LAN only
Well, one option is to just set a rule-pair in your firewall:
iptables -A INPUT -p tcp --dport 22 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j DROP
That way connections from the internal network are accepted; all other
traffic to the ssh port is dropped. If you go this route, ensure that
your system is set up to save your firewall rules and re-load them
when it brings the interface up, otherwise your protection is only
good for one session ; )
I would probably still want to configure sshd in addition (multiple
layers of security = much more secure). From a cursory looking-around
at google, it looks like you can set the
ListenAddress
line in sshd.conf to a local ip; I'm not sure exactly how this
implementation would work, and moreover it looks like you'd need
several lines if you want to allow a range of ips on the local
network.
You might also have a look at hosts.allow and hosts.deny
(http://linux.about.com/od/commands/l/blcmdl5_hostsal.htm is just the
first google result; the man pages certainly have more info, but I
don't use hosts.* myself so I can only really provide a pointer). I'm
not sure that really adds anything that the firewall rule wouldn't
already, though.
~Jeff
On Fri, Sep 19, 2008 at 12:52 PM, S.D.Allen
<SDA@deer-in-the-headlights.ca.invalid> wrote:
> Greetings;
>
> I can seem to figure out which config file to edit and what to enter
> to allow only hosts on the LAN to connect via SSH. I'll have the box
> in question available to the entire Internet and want to disable
> global access to SSH. Presently I'm using password authentication, and
> would prefer to keep it this way, as opposed to allowing access via
> trusted key.
>
> Thanks.
>
>
> --
> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
>
Reply to: