|
This approach is useful if you would like to allow only specific hosts on a network to be able to connect to your SSH service, but you don’t want to use or mess up your iptables configuration. Instead, you can use TCP wrappers; in this case the sshd TCP wrapper. I will make a rule to allow only hosts on my local subnet 192.168.1.0/24 and remote host 193.180.177.13 to connect to my SSH service. By default TCP wrappers first look in the /etc/hosts.deny file to see what hosts are denied for what service. Next, TCP wrapper looks in /etc/hosts.allow file to see if there are any rules that would allow hosts to connect to a specific service. I’ll create a rule like this in /etc/hosts.deny: sshd: ALL This means that by default all hosts are forbidden to access the SSH service. This needs to be here, otherwise all hosts would have access to the SSH service, since TCP wrappers first looks into hosts.deny file and if there is no rule regarding blocking SSH service, any host can connect. Next, create a rule in /etc/hosts.allow to allow only specific hosts (as defined earlier) to use the SSH service: sshd: 192.168.1 193.180.177.13 Now only hosts from the 192.168.1.0/24 network and the 193.180.177.13 host can access the SSH service. All other hosts are disconnected before they even get to the login prompt, and receive an error like this: ssh_exchange_identification: Connection closed by remote host __________________________________________________________________________________ Thanks to http://techgurulive.com/2009/02/10/how-to-use-tcp-wrappers-to-allow-only-specific-hosts-to-connect-to-ssh-service/
|
Articles 
