基于Linux下限制指定用戶或IP地址通過(guò)SSH登錄(訪問(wèn)控制)

環(huán)境介紹:

ssh主機(jī):192.168.2.128

客戶端:192.168.2.129

客戶端:192.168.2.130

IP限制:

?針對(duì)指定的IP地址進(jìn)行限制SSH登錄。

1.修改hosts.allow主機(jī)允許配置文件,添加允許地址

[root@localhost ~]# vim /etc/hosts.allow
...
sshd:192.168.2.130:allow       //添加只允許連接的IP地址
sshd:192.168.3.0/24:allow      //允許3.0/24這個(gè)網(wǎng)段內(nèi)的IP連接

2.修改hosts.deny主機(jī)拒絕配置文件

[root@localhost ~]# vim /etc/hosts.deny
...
sshd:ALL       //這里的ALL表示除了上面文件中允許的,其他的IP地址都拒絕

?同時(shí)設(shè)置上述兩個(gè)文件時(shí),hosts.allow文件中規(guī)則的優(yōu)先級(jí)更高,參考上述兩個(gè)文件進(jìn)行設(shè)置時(shí),服務(wù)器只允許192.168.2.130這個(gè)IP地址以及192.168.3.0/24這個(gè)IP地址段通過(guò)SSH進(jìn)行登錄,其他的IP都會(huì)被拒絕SSH登錄。

3.重啟ssh服務(wù)

[root@localhost ~]# systemctl restart sshd

4.測(cè)試ssh連接

[root@test2 ~]# ifconfig ens33
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.2.129  netmask 255.255.255.0  broadcast 192.168.2.255
...

[root@test2 ~]# ssh root@192.168.2.128
ssh_exchange_identification: read: Connection reset by peer

[root@test2 ~]# ssh -v root@192.168.2.128
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 58: Applying options for *
debug1: Connecting to 192.168.2.128 [192.168.2.128] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4
ssh_exchange_identification: read: Connection reset by peer

用戶限制

?限制某個(gè)指定用戶通過(guò)SSH登錄。

1.編輯/etc/ssh/sshd_config配置文件

?增加類似如下的Deny Users和AllowUsers等選項(xiàng),拒絕/只允許指定用戶通過(guò)SSH登錄。然后重啟SSH服務(wù)即可。

?AllowUsers:允許某個(gè)用戶、某些用戶能登錄,其它都不能登錄
?AllowGroups:允許某個(gè)組、某些組能登錄,其它都不能登錄
?DenyUsers:拒絕某個(gè)用戶、某些用戶登錄,其它都能登錄
?DenyGroups:拒絕某個(gè)組、某些組登錄,其它都能登錄

如:
?AllowUsers lisi test@192.168.2.130
?//允許所有網(wǎng)段的lisi用戶和192.168.2.130的test用戶通過(guò)SSH登錄系統(tǒng),其他的都不允許。

AllowUsers test@192.168.2.*
?//允許192.168.2.0網(wǎng)段的test用戶通過(guò)SSH登錄系統(tǒng)。

DenyUsers zhangsan lisi
?//拒絕zhangsan、lisi用戶通過(guò)SSH登錄系統(tǒng)。

[root@localhost ~]# vim /etc/ssh/sshd_config
...
AllowUsers root@192.168.2.129     //只允許192.168.2.129的root用戶登錄

[root@localhost ~]# systemctl restart sshd

2.測(cè)試只允許192.168.2.129的root用戶通過(guò)ssh連接主機(jī)

[root@test2 ~]# ifconfig ens33
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.2.129  netmask 255.255.255.0  broadcast 192.168.2.255
        inet6 fe80::6625:cc22:2268:e1f  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:1a:8b:61  txqueuelen 1000  (Ethernet)
        RX packets 5466745  bytes 2275431218 (2.1 GiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 4420539  bytes 1082931575 (1.0 GiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

[root@test2 ~]# ssh root@192.168.2.128
Last failed login: Thu Jun 18 16:23:30 CST 2020 from gateway on ssh:notty
There was 1 failed login attempt since the last successful login.
Last login: Thu Jun 18 16:23:21 2020 from 192.168.2.129
   //成功登錄
--------------------------------------------------
[root@test3 ~]# ifconfig ens33
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.2.130  netmask 255.255.255.0  broadcast 192.168.2.255
        inet6 fe80::2c27:a02c:731a:2219  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:53:71:a2  txqueuelen 1000  (Ethernet)
        RX packets 140126  bytes 20349622 (19.4 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 31280  bytes 2739647 (2.6 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

[root@test3 ~]# ssh root@192.168.2.128
root@192.168.2.128's password:
Permission denied, please try again.
   //登錄失敗
?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請(qǐng)聯(lián)系作者
【社區(qū)內(nèi)容提示】社區(qū)部分內(nèi)容疑似由AI輔助生成,瀏覽時(shí)請(qǐng)結(jié)合常識(shí)與多方信息審慎甄別。
平臺(tái)聲明:文章內(nèi)容(如有圖片或視頻亦包括在內(nèi))由作者上傳并發(fā)布,文章內(nèi)容僅代表作者本人觀點(diǎn),簡(jiǎn)書系信息發(fā)布平臺(tái),僅提供信息存儲(chǔ)服務(wù)。

相關(guān)閱讀更多精彩內(nèi)容

友情鏈接更多精彩內(nèi)容