PDA

View Full Version : [ubuntu] restrict ssh/scp access to specific ip addresses



boondocks
May 20th, 2008, 05:10 PM
I have a Ubuntu 8.04 desktop running at a remote location.
It is directly connected to an ADSL modem.

I have sudo access to this system.
I am able to access via ssh/scp too.

Now I want to limit ONLY the ssh/scp access to a few ip addresses.

In other words, keep everything else as-is ...
http, ftp, ... accessible by anyone
BUT
scp/scp ... accessible by 3 specific ip addresses only

How can I do this?

nunki
May 20th, 2008, 05:28 PM
I have a Ubuntu 8.04 desktop running at a remote location.
It is directly connected to an ADSL modem.

I have sudo access to this system.
I am able to access via ssh/scp too.

Now I want to limit ONLY the ssh/scp access to a few ip addresses.

In other words, keep everything else as-is ...
http, ftp, ... accessible by anyone
BUT
scp/scp ... accessible by 3 specific ip addresses only

How can I do this?

Probably easier to setup a firewall rule something like

iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 --source [accepted ip address here] -j ACCEPT

boondocks
May 20th, 2008, 06:37 PM
Rather than make changes to iptables, it there some other ssh-specific way to do this?

brian_p
May 20th, 2008, 06:40 PM
Now I want to limit ONLY the ssh/scp access to a few ip addresses.

In other words, keep everything else as-is ...
http, ftp, ... accessible by anyone
BUT
scp/scp ... accessible by 3 specific ip addresses only

How can I do this?

The AllowUsers option for sshd_config is the easiest route if you know who the users are. Alternatively, there is the equally easy tcp_wrappers way (/etc/hosts.allow and /etc/hosts.deny).

Dr Small
May 20th, 2008, 07:45 PM
Why not add in your /etc/host.allow:

sshd: IPADDRESS, IPADRRESS

The Cog
May 20th, 2008, 08:29 PM
Something like this in /etc/ssh/sshd_config perhaps?


AllowUsers andy@192.168.1.*,1.2.3.4,5.6.7.8 billy@192.168.1.* charlie@192.168.1.*