| View previous topic :: View next topic |
| Author |
Message |
sven
Apprentice
Joined: 19 Apr 2002
Posts: 274
|
 Posted: Fri Dec 10, 2004 11:08 am Post subject: Allow SSH only for some domains |
 |
|
Hi!
Let's say I there are some domains which point to the same server (same IP). On the server there's sshd running. Now I want to allow SSH only for people trying to connect to example1.com but not example2.com or example3.com. Something like the VirtualDomain settings from Apache where I can check the requested domain name.
Is that possible and how would I do that?
Thanks in advance! |
|
| Back to top |
|
 |
robet
l33t
Joined: 06 Sep 2004
Posts: 807
Location: Earth/NorthAmerica/USA/NY
|
|
| Back to top |
|
|
res0nat0r
n00b
Joined: 07 Jul 2003
Posts: 43
Location: Indiana
|
| Posted: Fri Dec 10, 2004 2:05 pm Post subject: |
|
|
do you mean that you want to block outbound ssh access to any hosts on the internet except for example1.com?
i am using iptables do do this.
| Code: |
# iptables -A OUTPUT -p tcp --dport 22 -d \! example1.com -j DROP
|
i am not sure if this is 100% correct, i dont have my linux box in front of me to test, but i use something similar in reverse for my box at home. i block all inbound access to my home pc's port 22 except for my works ip space which i allow.
something like:
| Code: |
# iptables -A INPUT -p tcp --dport 22 -s \! xx.0.0.0/8 --syn -j DROP
|
hope this gets you started.
Last edited by res0nat0r on Fri Dec 10, 2004 2:10 pm; edited 1 time in total |
|
| Back to top |
|
|
fleed
l33t
Joined: 28 Aug 2002
Posts: 756
Location: London
|
| Posted: Fri Dec 10, 2004 2:10 pm Post subject: Re: Allow SSH only for some domains |
|
|
| sven wrote: | Hi!
Let's say I there are some domains which point to the same server (same IP). On the server there's sshd running. Now I want to allow SSH only for people trying to connect to example1.com but not example2.com or example3.com. Something like the VirtualDomain settings from Apache where I can check the requested domain name.
Is that possible and how would I do that?
Thanks in advance! |
Just like with http+ssl (https) you cannot do it based on domain name only. You have to use something else: different ip or different port for different domains. ssh does not know what domain you're connecting to until the secure connection is done! |
|
| Back to top |
|
|
hoochiepapa
Tux's lil' helper
Joined: 02 Oct 2002
Posts: 105
|
| Posted: Fri Dec 10, 2004 4:02 pm Post subject: |
|
|
if you built openssh to use TCP wrappers;
if not sure run etcat -u openssh look for +tcpd
edit /etc/hosts.allow add something like
sshd: example1.com
and /etc/hosts.deny with
ALL:ALL |
|
| Back to top |
|
|
fleed
l33t
Joined: 28 Aug 2002
Posts: 756
Location: London
|
| Posted: Fri Dec 10, 2004 5:26 pm Post subject: |
|
|
| If example1.com and example2.com both point to the same ip address how is tcp wrappers going to be able to distinguish? |
|
| Back to top |
|
|
hoochiepapa
Tux's lil' helper
Joined: 02 Oct 2002
Posts: 105
|
| Posted: Sat Dec 11, 2004 12:38 am Post subject: |
|
|
| fleed wrote: | | If example1.com and example2.com both point to the same ip address how is tcp wrappers going to be able to distinguish? |
Good question.
Only way to find out is to try it.
I don't know of any way to restrict if both names point to a single IP. |
|
| Back to top |
|
|
Chris W
l33t
Joined: 25 Jun 2002
Posts: 972
Location: Brisbane, Australia
|
| Posted: Sat Dec 11, 2004 4:17 am Post subject: |
|
|
The only reason this sort of differentiation between virtual hosts is possible in HTTP is because the client sends the human-friendly host name with the request. Some old HTTP clients do not send the host name with the request and cannot fully use name-based virtual hosts as a result.
The ssh protocol and clients have no accommodation for such a host name transfer and, therefore, from the receiving end there's no way to know which DNS alias was used at the client end.
If you are hoping that this would afford some utility as a security measure then you'd be wasting your time. If I were a black-hat then I'd connect to your IP and forge the "correct" hostname anyway.
TCPWrappers can be used to control where connections are allowed from.
_________________
Cheers,
Chris W
"Common sense: The collection of prejudices acquired by age 18." -- Einstein |
|
| Back to top |
|
|
sven
Apprentice
Joined: 19 Apr 2002
Posts: 274
|
| Posted: Sun Dec 12, 2004 1:08 pm Post subject: |
|
|
| Chris W wrote: | The only reason this sort of differentiation between virtual hosts is possible in HTTP is because the client sends the human-friendly host name with the request. Some old HTTP clients do not send the host name with the request and cannot fully use name-based virtual hosts as a result.
The ssh protocol and clients have no accommodation for such a host name transfer and, therefore, from the receiving end there's no way to know which DNS alias was used at the client end. |
I thought so.
| Chris W wrote: | If you are hoping that this would afford some utility as a security measure then you'd be wasting your time. If I were a black-hat then I'd connect to your IP and forge the "correct" hostname anyway.
TCPWrappers can be used to control where connections are allowed from. |
Riiight, but I was just thinking about "security by obscurity". Let's say your domain "myleetdomain.com" is known to everyone but the domain "myserver4632.myisp.com" is only known to you, you would want to disable SSH for "myleetdomain.com" but keep it for the other domain. |
|
| Back to top |
|
|
|
Networking & Security
