Limiting SSH root logins to only “safe” networks in OpenSSH 4.x – Managing your servers can streamline the performance of your team by allowing them to complete complex tasks faster. Plus, it can enable them to detect problems early on before they get out of hand and compromise your business. As a result, the risk of experiencing operational setbacks is drastically lower.
But the only way to make the most of your server management is to perform it correctly. And to help you do so, this article will share nine tips on improving your server management and fix some problem about linux, security, ssh, redhat, pam.
We want to limit
root SSH login to only a few networks that we consider “safe” (VPN, etc.) without imposing the same condition on other accounts.
In OpenSSH 5.x, we could use the
match block. However, that is not an option in OpenSSH 4.x which is what we are limited to in RHEL5.
I was thinking perhaps this could be done using PAM. Anyone have any idea?
After finding this Cyberciti.biz article, I started looking into
pam_access. This is the solution I am settling on:
First, I created an access file in
/etc/security/sshd.conf. I chose doing this instead of using the default
/etc/security/access.conf because I wanted an access file dedicated to
sshd. The file looks like this:
# cat /etc/security/sshd.conf +:root:192.168.0.0/8 -:root:ALL
man access.conf for more information on syntax.
Then, I added the following line on top of the PAM stack in
auth required pam_access.so accessfile=/etc/security/sshd.conf
The reason I used
auth instead of
account as done in the Cyberciti.biz article was because using
account type allowed users to verify the password and then get rejected. I rather not verify the password. Check out
man pam.conf for more information.
This worked perfectly.
Yes, pam_access will do that. Other possibilities include tcp wrappers (RHEL5 sshd supports them) and iptables.
No experience with RHEL and friends, but I’d probably try to use tcpwrappers first — I mean the
---8<--- hosts.deny ---8<--- ALL: ALL
---8<--- hosts.allow ---8<--- ALL: localhost, 10.y.z.
Notice the implied /24; I’m not sure about the syntax for CIDR-blocks. If you need it I can hunt it up. Try to avoid locking yourself out using these tricks.
PS: You have considered ARP spoofing, right?