Securing SSHD

P

Phantium

Verified User
Joined
Jul 8, 2004
Messages
71
Location
Netherlands
Hi,

Could someone tell me how I make my sshd so only my ip can connect?
I am using Fedora Core 5 but "AllowHosts" doesn't seem to work on my version.

Thanks in advance,
Phantium
 
Try ELS with apf :) It can block all the others IPs except yours.
 
Yeah, I did that already.

Had over 1000 ssh attempts so I used this temporarily till I figure out how to block it with ssh.
 
Not to start a flame war here but you could try changing the SSH port...

I have it set that SSH to everyone except myself uses a specific port, and only from my IP can the default port be used [wouldnt have bothered except that my ISP traffic shapes and expects SSH to be the default, so when using a different port to connect to the server using SSH here at home, I get a very slow connection... but anyhow, thats a different story hehe].

You just need to configure APF appropriately [as i remember]

Regards
Nath.
 
I don't want to change the port, that's stupid.
Besides, if they want to get in they can port scan... :o
 
Last edited:
I don't want to change the port, that's stupid.
Click to expand...

Its not stupid.... plenty of ppl do it...

It was only a suggestion, as alot of scripts target the default port [so changing it means they wont ever connect hehe ;)]

Besides, if they want to get in they can port scan...
Click to expand...

Well i wouldnt say "get in" but if you mean connect then yes, but not every script out there does it.

Its just a method, like disabling root login...

Nath.
 
Last edited:
It's all possible, however I prefer just allowing my ip to connect to SSH rather then actually changing the port or turning off root to login.
 
Yep yep :)

In essence... I've done the same thing, except that I've used the default only for me to connect, and the alternative port for other users of the server...

Havent read the thread entirely - http://www.directadmin.com/forum/showthread.php?t=11006&highlight=Securing+SSH - but it might be of interest to you.

I'll have a look at my APF config to see what i've done regarding only allowing your ow IP to connect :)
 
Yeah, I've seen that thread already... not useful to me really as I know how to setup things on SSH.

Wish you could still block all IP's but your own with SSH.
 
Quite right.... I didnt notice any way to do it in just the SSHD config.

What I've done is remove port 22 from the "Common ingress (inbound) TCP ports" in APF config file, and at the bottom of the allow_hosts.rules file I've added my IP to allow only me to access all ports from my IP.

Hope that helps ya :)

Regards
Nath
 
tarquel said:
Quite right.... I didnt notice any way to do it in just the SSHD config.

What I've done is remove port 22 from the "Common ingress (inbound) TCP ports" in APF config file, and at the bottom of the allow_hosts.rules file I've added my IP to allow only me to access all ports from my IP.

Hope that helps ya :)

Regards
Nath
Click to expand...

I did that already before I even posted this topic. :P thanks anyway though, you're just trying to help. :)
 
hehe I try :D

I thought I best check that it does work so got a friend to try connection on the default port - he gets a timeout, but when he changes it to the alternative port, it works fine :)

This means that if i got rid of the alt port, he wouldnt have been able to connect at all, whereas i have been able to connect to default port all along.

I'm glad it works :)

So its odd that if youve done what i wrote in the post above, that it isnt stopping other people :S

Just a thought, but are you using the latest version of OpenSSH [or whatever SSH server you are running]?

nath.
 
No, it does stop other people.
I just prefer to do it through SSH as you can edit the config file in directadmin.
I'm not sure, I got version 1.73.
 
1.73?

The latest version of OpenSSH is 4.5p1 :D

If you are talking about OpenSSH then u may want it update it :)

but i see what you mean now [its been a long day hehe] ...you want to stop other and only allow your IP just using SSH and not using APF or anything else right?

If so, then Im not sure how you can go about that but if u find a way, please post it, although stopping the connection coming in at the firewall I'd have thought would be the best way, but I'm only thinking out aloud here :D

Regards
Nath.
 
The ListenAddress is what the sshd daemon itself will listen on and not what IPs it will allow to connect, if you set that to your IP you may lock yourself out of SSH since it wont have any IP addresses to bind itself to on the remote server. I use hosts.allow and hosts.deny to do what you want to achieve but you need to have xinetd running for it to process the rules. Just put
Code: 
sshd: <your ip>
inside of hosts.allow and
Code: 
sshd: ALL
inside of hosts.deny and everyone but your IP will be denied access to the sshd daemon. To be safe, add the two files into directadmin's file editor so if your IP changes in the future or somehow you get locked out by it, you can go into directadmin's file editor and comment them out and connect again since the changes will happen instantly without having to restart xinetd or anything.
 
<snip>

/etc/hosts.allow and /etc/hosts.deny are the files Marshall is refering to I believe :)

just use nano [or vi or whatever you prefer] to edit them as Marshall mentions....

Always more than one way to achieve stuff - isnt linux great hehe ; :D

Regards
Nath
 
Last edited:
You must log in or register to reply here.
Back
Top