分类: 系统运维
2014-11-17 14:40:51
The two important files are:
/etc/hosts.allow /etc/hosts.deny
The first can contain entries of hosts which are allowed to connect, the second contains addresses which are blocked.
Assuming that you wish to allow the remote addresses 1.2.3.x, and 192.168.0.x to connect but nothing else you would setup the files as follows. Firstly allow access by placing the following inside /etc/hosts.allow:
# /etc/hosts.allow sshd: 1.2.3.0/255.255.255.0 sshd: 192.168.0.0/255.255.255.0
Then disallow all further access by placing this in /etc/hosts.deny:
# /etc/hosts.deny sshd:all
Finally you can look at the ssh configuration itself, this has several useful security options you can enable.
The ssh server is configured by the file /etc/ssh/sshd_config. If you wish you can restrict remote access to specific users.
For example to only allow "bob" and "chris" to login add the following:
AllowUsers Sa ajk
With this setting in place (after the server has been restarted with "/etc/init.d/ssh restart") all other users will be unable to connect via SSH even if they login with the correct username and password.
You can also explicitly deny particular users:
DenyUsers badness paula
Probably the most important setting you can change in the sshd_config file is the following:
PermitRootLogin no
With this setting set to "no" remote root logins are denied.