allowing ssh users based on IP

wesw02 · Posted: Wed Aug 03, 2005 5:24 am Post subject: allowing ssh users based on IP

I have 2 servers on my lan, I'm setting up an RSA key so that i can cronjob my log files from server 1 to server 2 via scp, my goal with this project is to make the servers secure as possible; and for security reasons is it possible to have a user on server 2 that only accepts ssh connections from server 1, while accepting ssh connections for all other clients on a different user name? EX: the user 'log' only accepts connections from server1, but the user 'qwerty' accepts connections from all clients both via ssh. any ideas, sorry if it is confusing

Xaid · Posted: Wed Aug 03, 2005 5:31 am Post subject:

I think the easiest approach would be to make a firewall with iptables and only allow connections on the ssh port from the IPs that you want.
If this is wrong, then someone correct me.

wesw02 · Posted: Wed Aug 03, 2005 5:40 am Post subject:

thats how i figured i would have to go about this, i was just hoping to allow my admin user name from all connections and my log user name from only the one, but i can live with that appoarch, i'll probably just end up adding a 3rd server for VPN and put these servers on a DMZ and use my VPN to access them from my lan. (of course only allowing port 80 & 21 in to the DMZ from the wan), I hope that made sense, lol

Xaid · Posted: Wed Aug 03, 2005 6:03 am Post subject:

In my opinion, its not generally a good idea to allow the admin to login through SSH, so I disable it in my sshd.conf, this way, if someone tries to brute force their way in with the passwords, they'll need need two passwords to gain root instead of one (this is basically not always true since there could be an exploit in ssh that changes all that

).
You should look into port knocking as well, there is a port knocking daemon in portage that you can check out, its net-misc/knock.

good luck.

think4urs11 · Posted: Wed Aug 03, 2005 6:26 am Post subject:

are you searching for ...

rex123 · Apprentice Joined: 21 Apr 2004 Posts: 272

If you are using publickey authentication, without passphrases (so that it can be run via cron), and taking into account the fact that you say "my goal with this project is to make the servers secure as possible", you might want to restrict the commands that can be run as well. Look into man 8 sshd for details on how to do this using the authorized_keys(2) file.

wesw02 · Posted: Wed Aug 03, 2005 9:12 pm Post subject:

rex123 · Apprentice Joined: 21 Apr 2004 Posts: 272

wesw02 · Posted: Thu Aug 04, 2005 7:41 pm Post subject:

vaguy02 · Posted: Fri Aug 05, 2005 7:43 pm Post subject:

I allow root access through ssh. I prevent brute force attacks on root or any other account is after 3 failed attempts, my computer automatically bans the IP from the computer for 24 hours. It's much harder to accomplish than some of the other suggestions given, but I think it works well. Just a though.

wesw02 · Posted: Sun Aug 07, 2005 3:17 am Post subject:

vaguy02 · Posted: Sun Aug 07, 2005 4:03 pm Post subject:

No, It's actually a combination of snort, snortsam, base(used to be acid), and mysql. it was a pain to configure, but it works well once it does work.

wesw02 · Posted: Sun Aug 07, 2005 8:46 pm Post subject:

Sounds complex, but nice. I might have to give something like that a try

vaguy02 · Posted: Sun Aug 07, 2005 8:57 pm Post subject:

Yeah, I mean it took me about a week to get it all figured out. but it's nice now. anyways, if you run into problems or need help just message me or something and I will help you if I can.