[SOLVED] Restrict SSH users based on user AND IP address?

[fla_panther]

Hi all,

I must allow SSH because I'm building a headless server but I want to restrict SSH to two accounts. One will be allowed to SSH in from anywhere, but the other is to only be allowed in from within my local private network (192.168.x.x or 10.x.x.x, etc). I want to also restrict the second account to using a public key, but I'm not sure how to set that up for Windows/Putty yet so I'll be researching that after this. For now I'm focusing on limiting per IP address.

I know I can set which accounts can log in via SSH by editing /etc/ssh/sshd_config, and I have done that.

This link has some interesting info: http://yurisk.info/2011/04/05/two-tips- ... any-linux/

According to that page on a Checkpoint device you can do this:

Code: Select all

AllowUsers admin@123.123.123.10 admin@10.88.88.* yurisk

If that'll work on CentOS then I think this might work for me:

Code: Select all

AllowUsers publicaccount myaccount@10.x.x.*

... but in order to test that I'd need to open the server up to the rest of the world and I'm not ready to do that, so if anyone has any experience please advise. If that won't work in CentOS then how would I do it? some special iptables rules?

FWIW, in the comments section of that page editing the “~/.ssh/authorized_keys” is also mentioned. I'm not sure if that's a better solution or not but it seems like it would be more labor intensive. If I do end up giving a family member access via SSH I'd have to edit multiple files whereas /etc/ssh/sshd_config would all be done in one file. Then again, if no users can edit other user's files then might ~/.ssh/authorized_keys be more secure?

[fla_panther]

Okay, back at this again today. I set up two test accounts, as follows:

Code: Select all

AllowUsers test1@192.168.0.* test2@192.168.0.100

Based on that, test2 should only be able to log in from 192.168.0.100 and test1 should be able to login from anywhere on my internal LAN, however that did not work. I put 192.168.0.100 on my laptop and was able to log into the server using both test1 and test2, then went to my desktop which was 192.168.0.7 and I was also able to login with both test1 and test2. I'm going to continue researching, if anyone can shed some light on how to block based on user account AND source address feel free.

[scottro]

https://www.debian-administration.org/a ... ess_secure gives a method of specifying the users in the sshd_config and the hosts in the hosts.allow and hosts.deny files.

[fla_panther]

Thanks for the reply Scottro. Actually my last post was wrong - a moment ago it dawned on me I'd forgotten to restart the SSH process when I did my testing. I set everything back up, restarted the process, and indeed test2 was only able to log in from 192.168.0.100 and test1 was able to login from anywhere on my internal LAN. So I think I have my solution. Cheers!

[scottro]

Great. I'll mark it solved then.