Can we add option for SSH to only allow local connections

forlotto · June 10, 2024, 2:16am

I like the also include ip’s from my subnet box in webmin.
It should be included in all things I think.
SSH server it would be nice to see this.
Usermin it would be nice to see this as well.
It’s always my aim to tighten security in case your router fails you somehow especially when you are using bleeding-edge products to secure your network that may have unknown vulnerabilities cause they are so hellbent on getting it to the market. It’d be nice to have these types of protections for all things accessible as a kind of extra security.

I am not sure if this is correct but this is the line I was thinking of using in hopes of preventing remote access via SSH in the SSHD config file.
AllowUsers *@192.168.1.0/24
Don’t know how else to go about it really is there a way or method by which you can make it accessible only via your subnet? I haven’t familiarized myself with the SSHD config and what options are available or allowed.
Of course, UPNP is disabled on the router and the port is not open but just for extra security, I’d like to specify it somehow.

@Joe maybe you’d have a handle on this one?

forlotto · June 10, 2024, 2:40am

# Disable all auth by default
PasswordAuthentication no
PubkeyAuthentication no

[.. then, at the end of the file ..]

# Allow auth from local network
Match Address  192.168.1.*
    PubkeyAuthentication yes
    # if you want, you can even restrict to a specified user
    AllowUsers stephan

Did a little reading on Stack Exchange… Looks like there is an option supposedly called “Match Address” I am not so sure as to what the best route to take is obviously you can add it to your firewall as well like so.

`iptables`

sudo iptables -I INPUT -p tcp --dport 22 -s 192.168.0.0/16 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 22 -j REJECT

Please do not use DROP in iptables.

or

TCP wrapper

As outlined on the forums post, you can use TCP Wrapper . TCP wrapper uses 2 files, /etc/hosts.allow and /etc/hosts.deny

Edit /etc/hosts.allow and add your subnet

sshd : 192.168.0.

Edit /etc/hosts.deny , and deny all

ALL : ALL

SSH configuration

You can set several options in /etc/ssh/sshd_config. One is the listen address. If You set a listen address on your subnet. A private IP address is not routable over the internet.

ListenAddress 192.168.0.10

You can also use the AllowUsers

AllowUsers you@192.168.0.0/16

Somewhat related, you can also change the port

Port 1234

Alas I’d like to see it integrated into virtualmin and cloudmin never the less a simple box to tick that does the job.

system · August 9, 2024, 2:40am

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.