Re: Restricting ssh access to internet but not to internal network
* Patrick ([EMAIL PROTECTED]) [051127 01:06]: > Thanks Steve. I've just tested your solution and it's working fine. I > invoked a second instance of sshd using a different configuration file, > i.e. > > ssh -f /etc/ssh/sshd_conf-internal > > which binds to port 22 all allows all users to login. The (original) > file /etc/ssh/sshd_conf binds to 1022, and is exposed to the public > internet - but restricts access based on AllowGroup. The server has a > single NIC - but, as you say, it's no problem using different ports. If you want, you can direct incoming traffic from the external interface for tcp/22 to your daemon listening on 1022 with something like iptables -t nat -A PREROUTING -i eth0 -p tcp --d 1.2.3.4 --dport 22 \ -j REDIRECT --to-ports 1022 Many people recommend not listening on port 22 for public interfaces though, and to instruct your users to use an alternate port (to avoid annoying dictionary attacks cluttering your logs). Personally I don't prefer to hide like that. You're probably better off restricting access to specific hosts (if feasible) and requiring key-based authentication. good times, Vineet -- http://www.doorstop.net/ -- "Great spirits have always found violent opposition from mediocre minds. The latter cannot understand it when a man does not thoughtlessly submit to hereditary prejudices but honestly and courageously uses his intelligence." -- Albert Einstein signature.asc Description: Digital signature
Re: Restricting ssh access to internet but not to internal network
Thanks Steve. I've just tested your solution and it's working fine. I invoked a second instance of sshd using a different configuration file, i.e. ssh -f /etc/ssh/sshd_conf-internal which binds to port 22 all allows all users to login. The (original) file /etc/ssh/sshd_conf binds to 1022, and is exposed to the public internet - but restricts access based on AllowGroup. The server has a single NIC - but, as you say, it's no problem using different ports. Thanks to the other authors who have replied. Regards Patrick Rynhart. Steve Suehring wrote: > I would likely restrict access to ssh from external, if at all possible. > I realize that this isn't always possible but it should be possible to > at least narrow down access to certain IP ranges. > > For this particular problem I'm assuming there are two NICs in the > computer, one with an IP in private space and the other with a public > address? One idea is to bind two SSH daemons, one for each NIC. Place > no AllowGroups restriction on the internal SSH daemon. This means > that all users can connect internally. On the SSH daemon bound > externally place the AllowGroups restriction to restrict access to > members of that group. > > If there's only one NIC in the computer then you could still use two SSH > daemons, just bind them to different ports. The internal port might be > the standard tcp/22 whereas externally you would bind tcp/ or > something. Then firewall off the access to port 22 from externally so > that the internal-use daemon can't be accessed. > > Hope that helps. I'm sure others will have ideas too. > > Steve > > > On Thu, Nov 24, 2005 at 10:14:11PM -0800, Patrick wrote: > > I have an server running sshd on Sarge. I want all users to be able to > > access the computer from within the internal network - but restrict > > access from the internet (to users in a particular group). Can this be > > achieved by combining the /etc/hosts.allow or /etc/hosts.deny files and > > the AllowGroup (or AllowUsers) options in sshd configuration file. > > > > If so, how ? > > > > > > -- > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Restricting ssh access to internet but not to internal network
On Thu, 24 Nov 2005, Patrick wrote: > I have an server running sshd on Sarge. I want all users to be able to > access the computer from within the internal network - but restrict > access from the internet (to users in a particular group). Can this be > achieved by combining the /etc/hosts.allow or /etc/hosts.deny files and > the AllowGroup (or AllowUsers) options in sshd configuration file. You are looking for pam_access. [EMAIL PROTECTED]:~$ grep -C3 access /etc/pam.d/ssh # Standard Un*x authentication. @include common-auth # do etc/security/access checks # weasel, Fri, 25 Feb 2005 12:05:42 +0100 account required pam_access.so # [1] # Standard Un*x authorization. @include common-account [EMAIL PROTECTED]:~$ tail -n5 /etc/security/access.conf # weasel, Fri, 25 Feb 2005 12:06:57 +0100 +:ALL:127. +:ALL:192.0.2. +:weasel:ALL -:ALL:ALL HTH. -- PGP signed and encrypted | .''`. ** Debian GNU/Linux ** messages preferred.| : :' : The universal | `. `' Operating System http://www.palfrader.org/ | `-http://www.debian.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Restricting ssh access to internet but not to internal network
Patrick wrote: I have an server running sshd on Sarge. I want all users to be able to access the computer from within the internal network - but restrict access from the internet (to users in a particular group). Can this be achieved by combining the /etc/hosts.allow or /etc/hosts.deny files and the AllowGroup (or AllowUsers) options in sshd configuration file. If so, how ? Yes. To avoid errors, read the man pages first, but the files contain comments and examples. You may also be able to use iptables to restrict access to a few hosts or ranges, which makes life a bit safer. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Restricting ssh access to internet but not to internal network
I would likely restrict access to ssh from external, if at all possible. I realize that this isn't always possible but it should be possible to at least narrow down access to certain IP ranges. For this particular problem I'm assuming there are two NICs in the computer, one with an IP in private space and the other with a public address? One idea is to bind two SSH daemons, one for each NIC. Place no AllowGroups restriction on the internal SSH daemon. This means that all users can connect internally. On the SSH daemon bound externally place the AllowGroups restriction to restrict access to members of that group. If there's only one NIC in the computer then you could still use two SSH daemons, just bind them to different ports. The internal port might be the standard tcp/22 whereas externally you would bind tcp/ or something. Then firewall off the access to port 22 from externally so that the internal-use daemon can't be accessed. Hope that helps. I'm sure others will have ideas too. Steve On Thu, Nov 24, 2005 at 10:14:11PM -0800, Patrick wrote: > I have an server running sshd on Sarge. I want all users to be able to > access the computer from within the internal network - but restrict > access from the internet (to users in a particular group). Can this be > achieved by combining the /etc/hosts.allow or /etc/hosts.deny files and > the AllowGroup (or AllowUsers) options in sshd configuration file. > > If so, how ? > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Restricting ssh access to internet but not to internal network
I have an server running sshd on Sarge. I want all users to be able to access the computer from within the internal network - but restrict access from the internet (to users in a particular group). Can this be achieved by combining the /etc/hosts.allow or /etc/hosts.deny files and the AllowGroup (or AllowUsers) options in sshd configuration file. If so, how ? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]