Re: Restricting ssh access to internet but not to internal network

[Steve Suehring <dsec@braingia.org>]

I would likely restrict access to ssh from external, if at all possible. 
I realize that this isn't always possible but it should be possible to
at least narrow down access to certain IP ranges.

For this particular problem I'm assuming there are two NICs in the
computer, one with an IP in private space and the other with a public
address?  One idea is to bind two SSH daemons, one for each NIC.  Place
no AllowGroups restriction on the internal SSH daemon.  This means 
that all users can connect internally.  On the SSH daemon bound 
externally place the AllowGroups restriction to restrict access to 
members of that group.

If there's only one NIC in the computer then you could still use two SSH 
daemons, just bind them to different ports.  The internal port might be 
the standard tcp/22 whereas externally you would bind tcp/2222 or 
something.  Then firewall off the access to port 22 from externally so 
that the internal-use daemon can't be accessed.

Hope that helps.  I'm sure others will have ideas too.

Steve


On Thu, Nov 24, 2005 at 10:14:11PM -0800, Patrick wrote:
> I have an server running sshd on Sarge. I want all users to be able to
> access the computer from within the internal network - but restrict
> access from the internet (to users in a particular group). Can this be
> achieved by combining the /etc/hosts.allow or /etc/hosts.deny files and
> the AllowGroup (or AllowUsers) options in sshd configuration file.
> 
> If so, how ?
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org