[olug] OpenSSH ListenAddress Options
dan at miniarpa.net
dan at miniarpa.net
Fri Nov 6 20:55:14 UTC 2009
Hey all,
I'm locking down my two Debian webservers, and naturally one of the first things on my checklist is SSH. I currently have both servers set to disallow passworded root logins (without-password to allow my keyfiled rsyncs to function), AllowUsers is set accordingly and I've even set LoginGraceTime to a very narrow window, but I'd still like to lock the servers down ever better.
One of the options I came across in man sshd_config was ListenAddress. ListenAddress shows "IPv4_addr", "IPv6_addr" and "host" as acceptable values. I saw this and it got me thinking about how often my logs have shown somebody just sweeping a range of IPs and pounding all the SSH servers they can find. I naturally assumed that "host" meant an actual hostname, so I tried setting this value to the servers' hostnames. My reasoning behind this was that any time I SSH in, I always use the hostname instead of the IP. The new configuration didn't work as planned, and the servers continued to respond to connections on the IP addresses.
Is there another option I'm overlooking that can help me lock down the IPs but leave the domain open? I tried an iptables rule based on allowing to the hostname and denying to the IP but that didn't work, probably because of the way the SSH client actually tries to connect (I'd assume it just looks up the DNS record and uses the IP, never passing the hostname to the server).
Has anybody successfully configured SSH in the same way that I want to? Is there something blatantly obvious that I'm forgetting?
Thanks,
Dan
More information about the OLUG
mailing list