[olug] OpenSSH ListenAddress Options

Christopher Cashell topher-olug at zyp.org
Fri Nov 6 22:08:44 UTC 2009


On Fri, Nov 6, 2009 at 2:55 PM,  <dan at miniarpa.net> wrote:
> Is there another option I'm overlooking that can help me lock down the IPs but leave the domain open?  I tried an iptables rule based on allowing to the hostname and denying to the IP but that didn't work, probably because of the way the SSH client actually tries to connect (I'd assume it just looks up the DNS record and uses the IP, never passing the hostname to the server).

You're correct on the way this works.  At the actual connection level,
things are always IP:Port <-> IP:Port.  DNS and hostnames are purely a
convenience for humans since we don't do so well remember random
strings of numbers.  In general, I would recommend never using
hostnames for anything like this unless you really know what you're
doing and understand the ramifications.  When it comes to
iptables/ssh/etc, when you enter a hostname into a config the
tool/program you're working with is usually just going to do a lookup
on the hostname and then internally use the IP everywhere.  Since
hostname/DNS lookups can return unpredictable results (how should
iptables/sshd_config handle it if a hostname resolves to multiple
IPs?), you can easily get yourself into trouble.

> Has anybody successfully configured SSH in the same way that I want to?  Is there something blatantly obvious that I'm forgetting?

If you mean by restricting it on hostname vs. IP connections, if I
understand correctly what you're trying to do, it's not possible.  Not
unless ssh clients pass the hostname as part of their application
level handshake (much like the 'Host:' header in HTTP), but I'm pretty
sure they don't.  Note this is similar to the reason that name-based
virtual hosting for web stuff doesn't work well with SSL/TLS.

If you're just looking for other things you can do to further lock
down ssh, I can think of a couple.  One common suggestion is running
ssh on a non-standard port (something other than port 22).  This will
reduce the number of ssh scans that you get.  However, this also
complicates access and can inconvenience users.

My preferred solution is to use iptables to implement rate limiting on
connection attempts to port 22, ensuring that someone can't try to
brute-force passwords against my machines.  The easiest way to add
this is to replace your normal port 22 ACCEPT line in iptables with
something like:

# Accept SSH traffic, but only at a specific rate.  Anyone with too many
# connection attempts on port 22 will stop getting their packets
# accepted (preventing (or at least severely limiting) brute force
# attacks).
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m limit
--limit 1/min --limit-burst 4 -j ACCEPT

This will limit NEW connections to 1 per minute, with an initial burst
of 4 allowed (some clients will send multiple SYN packets pretty
quickly when starting a connection, dropping it below 4 may get you
locked out of your box for a few minutes).

Of course this assumes that you have a DROP rule somewhere following
the above ACCEPT rule.

> Dan

-- 
Christopher



More information about the OLUG mailing list