环境介绍:
ssh主机:192.168.2.128
客户端:192.168.2.129
客户端:192.168.2.130
IP限制:
针对指定的IP地址进行限制SSH登录。
1.修改hosts.allow主机允许配置文件,添加允许地址
[root@localhost ~]# vim /etc/hosts.allow ... sshd:192.168.2.130:allow //添加只允许连接的IP地址 sshd:192.168.3.0/24:allow //允许3.0/24这个网段内的IP连接
2.修改hosts.deny主机拒绝配置文件
[root@localhost ~]# vim /etc/hosts.deny ... sshd:ALL //这里的ALL表示除了上面文件中允许的,其他的IP地址都拒绝
同时设置上述两个文件时,hosts.allow文件中规则的优先级更高,参考上述两个文件进行设置时,服务器只允许192.168.2.130这个IP地址以及192.168.3.0/24这个IP地址段通过SSH进行登录,其他的IP都会被拒绝SSH登录。
3.重启ssh服务
[root@localhost ~]# systemctl restart sshd
4.测试ssh连接
[root@test2 ~]# ifconfig ens33 ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.2.129 netmask 255.255.255.0 broadcast 192.168.2.255 ... [root@test2 ~]# ssh root@192.168.2.128 ssh_exchange_identification: read: Connection reset by peer [root@test2 ~]# ssh -v root@192.168.2.128 OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 58: Applying options for * debug1: Connecting to 192.168.2.128 [192.168.2.128] port 22. debug1: Connection established. debug1: permanently_set_uid: 0/0 debug1: identity file /root/.ssh/id_rsa type 1 debug1: key_load_public: No such file or directory debug1: identity file /root/.ssh/id_rsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /root/.ssh/id_dsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /root/.ssh/id_dsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /root/.ssh/id_ecdsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /root/.ssh/id_ecdsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /root/.ssh/id_ed25519 type -1 debug1: key_load_public: No such file or directory debug1: identity file /root/.ssh/id_ed25519-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_7.4 ssh_exchange_identification: read: Connection reset by peer
用户限制
限制某个指定用户通过SSH登录。
1.编辑/etc/ssh/sshd_config配置文件
增加类似如下的Deny Users和AllowUsers等选项,拒绝/只允许指定用户通过SSH登录。然后重启SSH服务即可。
AllowUsers:允许某个用户、某些用户能登录,其它都不能登录
AllowGroups:允许某个组、某些组能登录,其它都不能登录
DenyUsers:拒绝某个用户、某些用户登录,其它都能登录
DenyGroups:拒绝某个组、某些组登录,其它都能登录
如:
AllowUsers lisi test@192.168.2.130
//允许所有网段的lisi用户和192.168.2.130的test用户通过SSH登录系统,其他的都不允许。
AllowUsers test@192.168.2.*
//允许192.168.2.0网段的test用户通过SSH登录系统。
DenyUsers zhangsan lisi
//拒绝zhangsan、lisi用户通过SSH登录系统。
[root@localhost ~]# vim /etc/ssh/sshd_config ... AllowUsers root@192.168.2.129 //只允许192.168.2.129的root用户登录 [root@localhost ~]# systemctl restart sshd
2.测试只允许192.168.2.129的root用户通过ssh连接主机
[root@test2 ~]# ifconfig ens33 ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.2.129 netmask 255.255.255.0 broadcast 192.168.2.255 inet6 fe80::6625:cc22:2268:e1f prefixlen 64 scopeid 0x20<link> ether 00:0c:29:1a:8b:61 txqueuelen 1000 (Ethernet) RX packets 5466745 bytes 2275431218 (2.1 GiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 4420539 bytes 1082931575 (1.0 GiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 [root@test2 ~]# ssh root@192.168.2.128 Last failed login: Thu Jun 18 16:23:30 CST 2020 from gateway on ssh:notty There was 1 failed login attempt since the last successful login. Last login: Thu Jun 18 16:23:21 2020 from 192.168.2.129 //成功登录 -------------------------------------------------- [root@test3 ~]# ifconfig ens33 ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.2.130 netmask 255.255.255.0 broadcast 192.168.2.255 inet6 fe80::2c27:a02c:731a:2219 prefixlen 64 scopeid 0x20<link> ether 00:0c:29:53:71:a2 txqueuelen 1000 (Ethernet) RX packets 140126 bytes 20349622 (19.4 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 31280 bytes 2739647 (2.6 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 [root@test3 ~]# ssh root@192.168.2.128 root@192.168.2.128's password: Permission denied, please try again. //登录失败
