Answer the question
In order to leave comments, you need to log in
Deny some users ssh from external network
Gentlemen, hel pliz mac sshd read, but either read it badly or not there.
The task is to prevent some users from logging in via ssh from a specific interface (from an external network, only from local subnets). What would be the best way to do this?
Answer the question
In order to leave comments, you need to log in
well, you can try fiddling with DenyUsers in sshd_config:
DenyUsers
This keyword can be followed by a list of user name patterns, separated by spaces. Login is disallowed for user names that match one of the patterns. Only user names are valid; a numerical user ID is not recognized. By default, login is allowed for all users. If the pattern takes the form [email protected] then USER and HOST are separately checked, restricting logins to particular users from particular hosts. The allow/deny directives are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups. See PATTERNS in ssh_config(5) for more information on patterns.
You can try in two ways, the first way is using the hosts.allow/hosts.deny files, the second way is using iptables.
In the hosts.allow file, you must specify allowed, for example:
sshd: xxxx/yyyy: allow
xxxx - ip
yyyy - mask
and in hosts.deny:
sshd: ALL: deny
Elementary Watson!
man sshd_config
for
AllowUsers
This keyword can be followed by a list of user name patterns, separated by spaces. If specified, login is allowed only for user names that match one of the patterns. '*' and '?' can be used as wildcards in the patterns. Only user names are valid; a numerical user ID is not recognized. By default, login is allowed for all users. If the pattern takes the form [email protected] then USER and HOST are separately checked, restricting logins to particular users from particular hosts.
i.e.
AllowUsers vasya petya [email protected]
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question