Limiting SSH root logins to only “safe” networks in OpenSSH 4.x

Posted on

Limiting SSH root logins to only “safe” networks in OpenSSH 4.x – Managing your servers can streamline the performance of your team by allowing them to complete complex tasks faster. Plus, it can enable them to detect problems early on before they get out of hand and compromise your business. As a result, the risk of experiencing operational setbacks is drastically lower.

But the only way to make the most of your server management is to perform it correctly. And to help you do so, this article will share nine tips on improving your server management and fix some problem about linux, security, ssh, redhat, pam.

We want to limit root SSH login to only a few networks that we consider “safe” (VPN, etc.) without imposing the same condition on other accounts.

In OpenSSH 5.x, we could use the match block. However, that is not an option in OpenSSH 4.x which is what we are limited to in RHEL5.

I was thinking perhaps this could be done using PAM. Anyone have any idea?

Solution :

After finding this Cyberciti.biz article, I started looking into pam_access. This is the solution I am settling on:

First, I created an access file in /etc/security/sshd.conf. I chose doing this instead of using the default /etc/security/access.conf because I wanted an access file dedicated to sshd. The file looks like this:

# cat /etc/security/sshd.conf
+:root:192.168.0.0/8
-:root:ALL

Check out man access.conf for more information on syntax.

Then, I added the following line on top of the PAM stack in /etc/pam.d/sshd:

auth       required     pam_access.so accessfile=/etc/security/sshd.conf

The reason I used auth instead of account as done in the Cyberciti.biz article was because using account type allowed users to verify the password and then get rejected. I rather not verify the password. Check out man pam.conf for more information.

This worked perfectly.

Yes, pam_access will do that. Other possibilities include tcp wrappers (RHEL5 sshd supports them) and iptables.

No experience with RHEL and friends, but I’d probably try to use tcpwrappers first — I mean the /etc/hosts.allow and /etc/hosts.deny files:

---8<--- hosts.deny ---8<---     
ALL: ALL

and

---8<--- hosts.allow ---8<---
ALL: localhost, 10.y.z.

Notice the implied /24; I’m not sure about the syntax for CIDR-blocks. If you need it I can hunt it up. Try to avoid locking yourself out using these tricks.

PS: You have considered ARP spoofing, right?

Leave a Reply

Your email address will not be published.