ssh访问控制

Linux访问控制

一、限制用户 ssh 登录

1.只允许白名单用户登录

命令：vim /etc/ssh/sshd_config

将192.168.220.113的root用户设为白名单用户

......
# Example of overriding settings on a per-user basis
#Match User anoncvs
#       X11Forwarding no
#       AllowTcpForwarding no
#       PermitTTY no
#       ForceCommand cvs server
AllowUsers root@192.168.20.113

然后 systemctl restart sshd 重启ssh服务

测试：

使用192.168.220.113使用root用户登录，成功

[root@client01 ~]# ssh root@192.168.220.111
root@192.168.220.111's password: 
Last login: Sat Jan 23 09:17:50 2021 from 192.168.220.113
[root@server01 ~]# 
[root@server01 ~]# 
[root@server01 ~]# 

使用192.168.220.112的root用户进行登录

[root@midmachine ~]# ssh root@192.168.220.111
root@192.168.220.111's password: 
Permission denied, please try again.
root@192.168.220.111's password: 

访问拒绝，测试成功

2.拒绝指定用户进行登录

命令：vim /etc/ssh/sshd_config

将192.168.220.113的root用户设为黑名单用户

......
# Example of overriding settings on a per-user basis
#Match User anoncvs
#       X11Forwarding no
#       AllowTcpForwarding no
#       PermitTTY no
#       ForceCommand cvs server
DenyUsers root@192.168.220.113

然后 systemctl restart sshd 重启ssh服务

测试：

使用192.168.220.113使用root用户登录，访问被拒绝

[root@client01 ~]# ssh root@192.168.220.111
root@192.168.220.111's password: 
Permission denied, please try again.
root@192.168.220.111's password: 

使用192.168.220.112的root用户进行登录

[root@midmachine ~]# ssh root@192.168.220.111
root@192.168.220.111's password: 
Last login: Sat Jan 23 09:43:53 2021 from 192.168.220.112
[root@server01 ~]# 

成功登录，测试结束

二、限制 IP ssh 登录

1.允许固定IP登录

[root@server01 ~]# vim /etc/hosts.allow

# hosts.allow   This file contains access rules which are used to
#               allow or deny connections to network services that
#               either use the tcp_wrappers library or that have been
#               started through a tcp_wrappers-enabled xinetd.
#
#               See 'man 5 hosts_options' and 'man 5 hosts_access'
#               for information on rule syntax.
#               See 'man tcpd' for information on tcp_wrappers
#
sshd:192.168.220.113:allow#允许 192.168.220.113 这个 IP 地址 ssh 登录

[root@server01 ~]# vim /etc/hosts.deny

# hosts.deny    This file contains access rules which are used to
#               deny connections to network services that either use
#               the tcp_wrappers library or that have been
#               started through a tcp_wrappers-enabled xinetd.
#
#               The rules in this file can also be set up in
#               /etc/hosts.allow with a 'deny' option instead.
#
#               See 'man 5 hosts_options' and 'man 5 hosts_access'
#               for information on rule syntax.
#               See 'man tcpd' for information on tcp_wrappers
#
sshd:ALL

测试：

使用192.168.220.113使用root用户登录，成功

[root@client01 ~]# ssh root@192.168.220.111
root@192.168.220.111's password: 
Last login: Sat Jan 23 10:02:28 2021 from 192.168.220.113
[root@server01 ~]# 
[root@server01 ~]# 
[root@server01 ~]# 

使用192.168.220.112使用root用户登录，失败

[root@midmachine ~]# ssh root@192.168.220.111
ssh_exchange_identification: read: Connection reset by peer

同时设置上述两个文件时，hosts.allow文件中规则的优先级更高，参考上述两个文件进行设置时，服务器只允许192.168.220.113这个IP地址这个IP地址段通过SSH进行登录，其他的IP都会被拒绝SSH登录。