使用openssh的TCP Wrappers support功能,可以通过配置/etc/hosts.allow和/etc/hosts.deny文件来控制哪些机器可以访问或哪些机器不可以访问服务器;
如只允许通过运维审计系统登录该服务器:
一、检查openssh是否支持tcp wrappers
# ldd /usr/sbin/sshd |grep wrap
libwrap.so.0 => /lib64/libwrap.so.0 (0x000000357f200000)
有数据输出,说明支持,如没有数据输出,将不支持,需要在安装openssh时使用–with-tcp-wrappers参数。
二、修改配置
添加允许列表:
# vim /etc/hosts.allow
#
# hosts.allow This file describes the names of the hosts which are
# allowed to use the local INET services, as decided
# by the ‘/usr/sbin/tcpd’ server.
#
sshd:10.0.10.10 #为运维审计系统的IP地址
拒绝所有其他地址:
# vim /etc/hosts.deny
#
# hosts.deny This file describes the names of the hosts which are
# *not* allowed to use the local INET services, as decided
# by the ‘/usr/sbin/tcpd’ server.
#
# The portmap line is redundant, but it is left to remind you that
# the new secure portmap uses hosts.deny and hosts.allow. In particular
# you should know that NFS uses portmap!
sshd:ALL #ALL需大写
三、测试
在非运维审计系统上测试使用ssh登录这台服务器(10.0.33.2),将会有出错。
在非运维审计系统上测试使用ssh登录这台服务器(10.0.33.2),将会有出错。
# ssh 10.0.33.2
ssh_exchange_identification: Connection closed by remote host
查看secure日志:
# Aug 20 16:44:17 localhost sshd[28333]: refused connect from 10.0.10.12 (10.0.33.2)
转载请注明:爱开源 » 使用TCP Wrappers控制SSH访问