Restricting ssh access to selected IP addresses
This is probably one of those “what’s a spline?” kind of things which I should have learnt years ago, but somehow looking it up on google proved rather tricky. I try to spend as little of my life wearing a sys-admin hat as possible, so if I’m missing something obvious please let me know.
Anyway, a server I’m involved with had been being hammered for months by people running brute force SSH attacks. There is pretty much zero chance of them successfully guessing a password, but unfortunately the sheer number of connections has occasionally reached sshd’s limits and locked even real users out. The hosting company has been able to connect directly to restart sshd where necessary, but obviously it’s not a tenable situation for what will eventually become a production server.
Most of what I could find on Google deals with setting up monitoring systems to monitor the sshd logs and dynamically create firewall rules to block any clients which appear to be performing brute force attacks, but our situation is really much simpler. For this server, and I would imagine most, there is a very finite set of IP addresses which might legitimately connect via SSH. I guess ISPs assigning dynamic IP addresses might stretch this in some cases, but even then the set is likely to be quite small (and could probably be defined by domain).
I was about to dive in and start setting iptables rules for SSH, which makes me rather nervous when the server in question is on the other side of the world, but someone at work suggested that using hosts.allow might be simpler.
Having never actually touched hosts.allow in the past, I did a bit of digging and ran a cross this nice little introduction to TCP wrapping SSH which seems to have been set up specifically for some sort of exploit against ssh version 1, but showed pretty much exactly what I wanted to do.
For what it’s worth, I ended up with the following, which seems to work beautifully.
[root@server root]# cat /etc/hosts.allow
#
# hosts.allow This file describes the names of the hosts which are
# allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#
sshd,sshdfwd-X11: .mydomain.com
sshd,sshdfwd-X11: XXX.XXX.X.
sshd,sshdfwd-X11: specific-server.otherdomain.com
[root@server root]# cat /etc/hosts.deny
#
# hosts.deny This file describes the names of the hosts which are
# *not* allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#
sshd,sshdfwd-X11:ALL
You would think this is the sort of thing the hosting provider’s technicians would have recommended the moment we said we were having trouble, but I guess they prefer offering more costly solutions.
Technorati Tags: ssh, sysadmin, hosting, firewall, security, linux