How can I allow SSH password authentication from only certain IP addresses?

1

OK, I’m not entirely sure how useful this is, but since I know that I only want to give SSH access to my home box from one external box (with a fixed IP address), I might as well configure it to accept only connections from that machine.

It is my machine at work, which I trust to be parasite-free. I would never SSH in from just a random box – what use is a secure shell if you don’t trust the end-point you’re using? So anyway, I thought I’d make some nice shorewall rules. Accepting SSH connections only from one address and dropping requests from any other addresses doesn’t necessarily make things more secure, but at the very least it saves some log output.

Given the setup of the home network, it turned out that I in fact needed two rules (it took a few minutes before I got my head around that). The box that runs shorewall also acts as a wireless access point, using IP masquerading (set up through /etc/shorewall/masq) to share the wired connection. I already had these...

0 0
2

With the amount of SSH brute force attacks, securing SSH is more important than ever.

Here are a few methods you can consider to further harden your SSH installation.

Default Settings
First of all, we look att the default settings as these apply to many (most?) distributions.

Allows Legacy SSH protocol version 1 (has known security issues) Allows direct access to root via password authentication Uses low key strength to secure sessions Allows SSH access to all users

Four minor items that should be changed at first boot of the server.

Harden SSH

Disable SSH Protocol 1
SSH has two protocols, 1 and 2. Protocol 1 has a number of known flaws and should no longer be used.
Diisable Protocol 1 by editing /etc/ssh/sshd_config

Restrict Root Login
There are two options in restricting access to root logins. You can either disable root logins completly or you can force it to use SSH keys.

Setting the option to “no” disables...

0 0
3

The SSH connection to your server is one of the most important way of accessing and managing your server, because of this, it is a target for any attacker that wants access to your server. Securing SSH is therefore very important. As I have already described in Secure servers ssh access, there are a couple of precautions you can take to prevent attackers from guessing your password.

Since, if nothing else, it’s quite annoying to have to type passwords all the time, you might have already considered creating SSH-keys, and configured SSH passwordless login with SSH-key for your server.

If the SSH-key is compromised

If your ssh-key fell into the wrong hands, anybody could access your server from anywhere on the internet. Restricting the ssh-key is one possibility to reduce the risk of an attacker hacking into your server by obtaining the ssh-key. Of course, if an ssh-key has been compromised, it should be removed from all affected systems and replaced by a new...

0 0
4

I get this error if I've been closing and restarting my SSH sessions in a short window of time and goes away after awhile. I'm sure my password is correct. Each of my two client's response to the error doesn't give me a lot to go on for search engine troubleshooting.

Under mRemote on Windows 7, outside the main window a 2nd window is drawn which disappears immediately. The shell I opened (in a tab) will display only Using username "Bob". for a second or two before closing without notice.

Connectbot on Android is more specific. It connects to host and verifies. After the password prompt it tells me Authentication method 'password' failed.

What is happening...

0 0
5

Update:There is now an updated version of this guide for Ubuntu 12.04: Generate a ssh key and disable password authentication on the Ubuntu 12.04 (Precise Pangolin) server

1. Generate the ssh key pair on the desktop computer:
ssh-keygen

2. Copy the public key to the server:
scp ~/.ssh/id_rsa.pub user@10.10.10.1:

3. Connect to the server:
ssh user@10.10.10.1

4. Append the public key to authorized_keys and remove the uploaded copy:
cat id_rsa.pub >> ~/.ssh/authorized_keys
rm id_rsa.pub

5. Edit the ssh server configuration to make sure that public key authentication is enabled (it should be enabled by default):
sudo nano /etc/ssh/sshd_config

5.1 These entries must be set to yes:
RSAAuthentication yes
PubkeyAuthentication yes

6. Reload the configuration:
sudo /etc/init.d/ssh reload

7. Disconnect from the server:
exit

8. Try connecting without the need to give the password to...

0 0
6

Objective: Allow ssh root logins from a single IP address and disable root logins from other IP addresses.

To enable root logins via ssh, PermitRootLogin keyword has to be set to yes in the /etc/ssh/sshd_config (OpenSSH daemon configuration) file. To disable root logins, PermitRootLogin has to be set to no instead.

To allow only certain hosts or IP addresses to ssh as the root user, the Match keyword can be used. To allow ssh root logins from foo.example.com, use the following configuration.

Remember to append the Match rules at the end of the sshd_config file. You will need to restart the sshd daemon for the changes to take effect.

If you need to permit root logins from a few IP blocks, you can use the following syntax.

The above configuration will allow root logins from 192.168.10.10, 192.168.1.0/24 and 10.254.0.0/16.

If you want to permit a particular user to ssh from a certain IP address, you can use the following syntax.

The...

0 0
7

Advertisement

SSH is a great way to gain remote access to your computer. Similar to FTP, you can connect over SSH FTP What SSH Is & How It's Different From FTP [Technology Explained] to gain secure access to a file server with your favorite FTP client Master FTP File Transfers On All Of Your Sites With FileZilla , quickly accessing remote files, or even mounting a network disk to your computer. But there’s more to SSH than remote file access. Logging in over SSH in Terminal (or using PuTTY on Windows) gives you remote shell access (after all, SSH is short for Secure SHell). It’s how I manage my media server from a distance.

When you open the ports What Is Port Forwarding & How Can It Help Me? [MakeUseOf Explains] on your router (port 22 to be exact) you can not only access your SSH server from within your local network, but...

0 0
8

SSH is a secure shell command line technology allowing a user to connect to a second computer and perform many tasks securely. I have written a post which is found here which tells out all about the SSH technology. In this post I am showing you how to connect to a SSH server in Windows and Linux operating systems using password authentication, if you are using public/private key authentication please read this post. I would recommend everyone to use public/private key authentication because it increases security dramatically, a SSH client can on connect to the server if they have the correct private key and a private key can be encrypted using a password increasing security even further.

SSH using Windows
SSH using Linux

SSH using windows

To allow us to perform SSH communications we need to download a SSH client which allows us to transmit and understand responses, the software we are going to be using is called PuTTy which can be found here, a...

0 0
9

"Secure Shell or SSH is both a computer program and an associated network protocol designed for logging into and executing commands on a networked computer." -WikiPedia-

An SSH server can be set up in various ways, but in this document I’ll describe how it can be configured to:

only support connections through the 2nd version of the SSH protocol (SSH-2) use DSA keys for user authentication, without permitting authentication with passwords allow only a specific group of users to connect


The SSH-2 protocol, apart from many other useful features, provides stronger security than SSH-1. It’s a bit more cpu hungry than the latter, but this should not be a problem. Using the above configuration, someone must be extremely lucky to manage to break into our system.

But, let me say a few words about how the authentication is done. The user creates a keypair, which consists of a private key, that can be protected with a passphrase, and a public key. The public key is...

0 0
10

Five Minutes to an Even More Secure SSH

This is a followup article to Five Minutes to a More Secure SSH. My impetus for writing the original was seeing too many client's servers left in a default state where they are vulnerable to brute-force attacks. In it, I basically advocate three things:

Disabling password authentication Disabling root login Enabling key-based authentication

Those recommendations still hold true and I would encourage you to follow them. However, OpenSSH has many features and there is more you can do to secure your SSH servers, without resorting to external software.

Refresher and Important Notes: The main OpenSSH server configuration file is called sshd_config and will typically be in the /etc/ssh or /etc/sshd directories. Like all of the configuration files used by OpenSSH, it is in plain text and so can be edited with any text editor. After editing your sshd_config file, you will need to reload your SSH server's...

0 0