Topic: Is this how to limit remote ssh to a few IP addresses?

[RedBeard]

How do I limit remote access to the server via ssh.  My server is getting hit with a lot of attempts to logon via ssh.  I would like to limit ssh to 5 or 6 ip address ranges that I and the a couple of other admins use.

Looking around for other examples it looks like this might work, as root do the following?

# mkdir -p /etc/e-smith/templates-custom/etc/host.allow

# echo " sshd: 127.0.0.1 10.0.0.0/255.255.255.0 xxx.xxx.xxx.0/255.255.255.0 yyy.yyy.yyy.0/255.255.255.0 \
zzz.zzz.zzz.0/255.255.255.0" > /etc/e-smith/templates-custom/etc/host.allow/sshd

   [10.0.0.0 is the local network ip and the others are the ip ranges I want to accept login via ssh from]

# /sbin/e-smith/expand-template /etc/host.allow

Is this the proper way to do this?

Thanks
RedBeard

[bigbri100]

That should work just fine.

When I learned of the new wave of attacks on my SSH server I switched to Public/Private Keys.  I just distribute the Private key to anyone who needs to access   my server.  Just a thought.

[mrjhb3]

Would you mind posting a howto on using the public/private keys with SSH?

JB

[cc_skavenger]

Another thought is to change the ssh port from 22 to 222 or even 2222.

Just my $0.02.

[bigbri100]

http://www.wellsi.com/sme/ssh/ssh.html

[RedBeard]

Thanks for the info everyone.  I tried it out and it didn’t appear to work.  I didn’t have time to look into it much.  I will have to double-check my work.

I will probably change the port # and switch to Public/Private Keys.

Thanks

[cc_skavenger]

Changing the default ssh port

Follow these instructions to change the default ssh port from 22 to something else, such as 2222. This how-to only applies to versions 5.6 and newer.

Make the directories needed for the necessary template fragments.
mkdir –p /etc/e-smith/templates-custom/etc/ssh/sshd_config
mkdir –p /etc/e-smith/templates-custom/etc/rc.d/init.d/masq
 
Copy the template fragment that specifies the ssh port number.
cp –rip /etc/e-smith/templates/ssh/sshd_config/10port /etc/e-smith/templates-custom/etc/ssh/sshd_config/

Edit the template fragment and change the port number to what you want.

Now, expand the template with the following command:
/sbin/e-smith/expand-template /etc/ssh/sshd_config

Edit the file /etc/ssh/sshd_config and make sure that the port number changed.

Next, copy the template fragment that specifies port 22 to be open in the firewall.
cp –rip /etc/e-smith/templates/etc/rc.d/init.d/masq/45AllowSSH /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/

Edit the file and change the number 22 to what ever number you specified above.

Now, expand the template with the following command:
/sbin/e-smith/expand-template /etc/rc.d/init.d/masq
 
Edit the file /etc/rc.d/init.d/masq and make sure that you see something like this starting at about line 311:

    adjust_tcp_in 113 denylog $NEW_InboundTCP
    adjust_tcp_in 21 ACCEPT $NEW_InboundTCP
    adjust_tcp_in 80 denylog $NEW_InboundTCP
    adjust_tcp_in 443 denylog $NEW_InboundTCP
    adjust_tcp_in 143 denylog $NEW_InboundTCP
    adjust_tcp_in 389 denylog $NEW_InboundTCP
    adjust_tcp_in 110 denylog $NEW_InboundTCP
    adjust_tcp_in 1723 ACCEPT $NEW_InboundTCP
    adjust_tcp_in 25 denylog $NEW_InboundTCP
    adjust_tcp_in 2222 ACCEPT $NEW_InboundTCP <--- Here is the new port    
    adjust_tcp_in 23 denylog $NEW_InboundTCP

Now restart the ssh service:
service sshd restart

Now restart the firewall service:
service masq restart

That’s it.  Try connecting over ssh through the new port you specified.  If it doesn’t work, check your files and make sure that ssh is enabled in the remote access section of the server manager.

HTH
Marco

[mbachmann]

cc_skavenger, i added your work to the howto section. Feel free to edit.

http://no.longer.valid/phpwiki/index.php?pagename=Changing%20the%20default%20ssh%20port

[cc_skavenger]

Thanks mbachmann.  I will add that D. May's webconsole contrib will not work if the port is changed from 22.  I have not found anything else that has any trouble from the port change.

Marco

[chris burnat]

Changing the default ssh port

Copy the template fragment that specifies the ssh port number.
cp –rip /etc/e-smith/templates/ssh/sshd_config/10port /etc/e-smith/templates-custom/etc/ssh/sshd_config/

Just done the procedure on 6.01 anf 6.5, working fine except that I had to change the first part of the cp command line to:
cp –rip /etc/e-smith/templates/etc/ssh/sshd_config/10port

If there is an error in cc_skavenger howto, it may need correcting in the wiki page also - same text as above.

[edform]

How do I limit remote access to the server via ssh.  My server is getting hit with a lot of attempts to logon via ssh.  I would like to limit ssh to 5 or 6 ip address ranges that I and the a couple of other admins use.

Looking around for other examples it looks like this might work, as root do the following?

# mkdir -p /etc/e-smith/templates-custom/etc/host.allow

# echo " sshd: 127.0.0.1 10.0.0.0/255.255.255.0 xxx.xxx.xxx.0/255.255.255.0 yyy.yyy.yyy.0/255.255.255.0 \
zzz.zzz.zzz.0/255.255.255.0" > /etc/e-smith/templates-custom/etc/host.allow/sshd

   [10.0.0.0 is the local network ip and the others are the ip ranges I want to accept login via ssh from]

# /sbin/e-smith/expand-template /etc/host.allow

Is this the proper way to do this?

Thanks
RedBeard

It might be if you change 'host.allow' to 'hosts.allow' in your code.

When I tried to use htis approach, however, I ran into a problem - quite possibly of my own making. I used the line...

echo " sshd: 127.0.0.1 192.168.10.0/255.255.255.0 xxx.xxx.xxx.0/255.255.255.255">/etc/e-smith/templates-custom/etc/host.allow/sshd

Where xxx.xxx.xxx.xxx is a specific, single fixed IP address that I wish to allow access via ssh, and 255.255.255.255 is the netmask needed to speccify a single address.

When I expanded the template the correct entry as made to /etc/hosts.allow, but all SSH entry is now blocked on the server.

What did I do wrong?

Ed Form

[gordonr]

Changing the default ssh port

Follow these instructions to change the default ssh port from 22 to something else, such as 2222. This how-to only applies to versions 5.6 and newer.

No, please don't. Moving the SSH port provides only a minimal level of security through obscurity and I advise against it. The scanners will find an SSH daemon on another port.

Also any custom templates, such as created by these instructions, may not work on later releases as we rearrange the main templates. For a security service like ssh, it is possible that custom templates may expose security holes which are fixed in the base templates of a later release.

1) Use SSH keys - SSH dictionary probes happen *constantly*
2) Disable SSH password login
3) Disable SSH root login
4) Limit SSH to the hosts which need access. This will block other SSH access at the firewall.

See this thread for details (though it has been posted a few times before):

http://forums.contribs.org/index.php?topic=30346.0

[gordonr]

That should work just fine.

When I learned of the new wave of attacks on my SSH server I switched to Public/Private Keys.  I just distribute the Private key to anyone who needs to access   my server.  Just a thought.

There should be one public key (and matching private key) per user needing access. By far the best option is to get them to create the key pairs and only send you the public half to add to authorized_keys2 file.

If that's not possible, generate a different key pair for each user and send them the private half. But that is far less secure unless you send the private half via a secure mechanism.

Also, each key should be protected with its own strong passphrase. That way if someone does get the private half, they still can't get in using just the private key.