Topic: ssh root login from one ip but all other ips no root login

[Kobus]

Hi everyone

Happy new year to all.

I need to harden my server security so I sit with the following problem:

I need to disable root login via ssh and only allow sudo or su. This I can do.

BUT

The problem I have is that if I do this then a script I wrote that copies data between 2 servers will not longer work. Can I allow root login from just one IP address but all others denied and if so how?

Or is there a better way to do this?

Thanks in advance

Kobus

[raem]

kbensch

Please learn to use search.

From an old forum post:

db configuration setprop sshd AllowHosts <list>
signal-event remoteaccess-update

where <list> is a comma separated list of IP addresses and/or netmasks (e.g. 16.17.18.19,203.14.64.0/24).

Ssh will then only be allowed from those IP addresses. The firewall code will drop ssh connections from any other hosts.


I have added this db command here:
http://wiki.contribs.org/DB_Variables_Configuration#SSH_.28sshd.29

[Kobus]

Thank you for the reply, but will me doing this still allow me to connect to the server using ssh as a normal user the sudo or su to root?

[raem]

kbensch

I assume you mean from the local network (including VPN connections), then yes local access is still allowed.

For external remote access, you will need to specify all remote host IPs that need to access ssh.

[Kobus]

Thank you for the reply. You see I want to restrict root access to all users except from a specific IP but not ssh access.

[CharlieBrady]

Thank you for the reply. You see I want to restrict root access to all users except from a specific IP but not ssh access.

ssh doesn't have configuration options to allow that.

You should just fix your script so that it can run correctly under sudo.

[Kobus]

Ok, thanks for that. I will have to read up a bit on how to do that.