環境介紹:
ssh主機:192.168.2.128
客戶端:192.168.2.129
客戶端:192.168.2.130
IP限制:
針對指定的IP地址進行限制SSH登錄。
1.修改hosts.allow主機允許配置文件,添加允許地址
[root@localhost ~]# vim /etc/hosts.allow
...
sshd:192.168.2.130:allow //添加只允許連接的IP地址
sshd:192.168.3.0/24:allow //允許3.0/24這個網段內的IP連接
2.修改hosts.deny主機拒絕配置文件
[root@localhost ~]# vim /etc/hosts.deny
...
sshd:ALL //這裏的ALL表示除了上面文件中允許的,其他的IP地址都拒絕
同時設置上述兩個文件時,hosts.allow文件中規則的優先級更高,參考上述兩個文件進行設置時,服務器只允許192.168.2.130這個IP地址以及192.168.3.0/24這個IP地址段通過SSH進行登錄,其他的IP都會被拒絕SSH登錄。
3.重啓ssh服務
[root@localhost ~]# systemctl restart sshd
4.測試ssh連接
[root@test2 ~]# ifconfig ens33
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.2.129 netmask 255.255.255.0 broadcast 192.168.2.255
...
[root@test2 ~]# ssh [email protected]
ssh_exchange_identification: read: Connection reset by peer
[root@test2 ~]# ssh -v [email protected]
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 58: Applying options for *
debug1: Connecting to 192.168.2.128 [192.168.2.128] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4
ssh_exchange_identification: read: Connection reset by peer
用戶限制
限制某個指定用戶通過SSH登錄。
1.編輯/etc/ssh/sshd_config配置文件
增加類似如下的Deny Users和AllowUsers等選項,拒絕/只允許指定用戶通過SSH登錄。然後重啓SSH服務即可。
AllowUsers:允許某個用戶、某些用戶能登錄,其它都不能登錄
AllowGroups:允許某個組、某些組能登錄,其它都不能登錄
DenyUsers:拒絕某個用戶、某些用戶登錄,其它都能登錄
DenyGroups:拒絕某個組、某些組登錄,其它都能登錄
如:
AllowUsers lisi [email protected]
//允許所有網段的lisi用戶和192.168.2.130的test用戶通過SSH登錄系統,其他的都不允許。
AllowUsers [email protected].*
//允許192.168.2.0網段的test用戶通過SSH登錄系統。
DenyUsers zhangsan lisi
//拒絕zhangsan、lisi用戶通過SSH登錄系統。
[root@localhost ~]# vim /etc/ssh/sshd_config
...
AllowUsers root@192.168.2.129 //只允許192.168.2.129的root用戶登錄
[root@localhost ~]# systemctl restart sshd
2.測試只允許192.168.2.129的root用戶通過ssh連接主機
[root@test2 ~]# ifconfig ens33
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.2.129 netmask 255.255.255.0 broadcast 192.168.2.255
inet6 fe80::6625:cc22:2268:e1f prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:1a:8b:61 txqueuelen 1000 (Ethernet)
RX packets 5466745 bytes 2275431218 (2.1 GiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 4420539 bytes 1082931575 (1.0 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[root@test2 ~]# ssh [email protected]
Last failed login: Thu Jun 18 16:23:30 CST 2020 from gateway on ssh:notty
There was 1 failed login attempt since the last successful login.
Last login: Thu Jun 18 16:23:21 2020 from 192.168.2.129
//成功登錄
--------------------------------------------------
[root@test3 ~]# ifconfig ens33
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.2.130 netmask 255.255.255.0 broadcast 192.168.2.255
inet6 fe80::2c27:a02c:731a:2219 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:53:71:a2 txqueuelen 1000 (Ethernet)
RX packets 140126 bytes 20349622 (19.4 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 31280 bytes 2739647 (2.6 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[root@test3 ~]# ssh [email protected]
root@192.168.2.128's password:
Permission denied, please try again.
//登錄失敗
↓↓↓↓↓↓
最近剛申請了個微信公衆號,上面也會分享一些運維知識,大家點點發財手關注一波,感謝大家。 【原創公衆號】:非著名運維 【福利】:公衆號回覆 “資料” 送運維自學資料大禮包哦!
