Limit ssh root access ip

 

 


方法1: Match XXX

 

/etc/ssh/sshd_config

# global config
PermitRootLogin no
PasswordAuthentication no
GSSAPIAuthentication no             # 非必要

Match Address 192.168.123.*
    PermitRootLogin yes
    PasswordAuthentication yes

 * 在沒有 "UsePAM yes" 及 "AllowUsers ???" 影響下有效

 * PermitRootLogin no > AllowUsers root

Checking

ssh root@datahunter.org

Permission denied (publickey).

 


方法2: Define "AllowUsers" patterns

 

AllowUsers root@192.168.123.*

Match User root
    AllowUsers root@a.b.c.d   

 


方法3: UsePAM

 

# Login access control table

/etc/security/access.conf

# permission : users : origins
+ : root : 127.0.0.1
+ : root : hosta hostb hostx
- : root : ALL
# All other users should be denied to get access from all sources.
- : ALL : ALL
- : ALL : ALL

Remark

# The same is 192.168.201.0/24 or 192.168.201.0/255.255.255.0
+ : root : 192.168.123.

/etc/pam.d/sshd

account  required     pam_access.so

login 失敗的 log

Oct 18 22:24:17 sshgw sshd[28895]: fatal: Access denied for user root by PAM account configuration [preauth]

 * AllowUsers > UsePAM

 


Summary

 

PermitRootLogin no > AllowUsers root > UsePAM