[olug] OpenSSH ListenAddress Options
Rob Townley
rob.townley at gmail.com
Sat Nov 7 21:40:25 UTC 2009
On Fri, Nov 6, 2009 at 6:06 PM, Matthew G. Marsh <olug4mgm at paktronix.com> wrote:
>
> <delurk>
>
> Hmmm - twice in one day - I must be slipping...
>
> I use ListenAddress in all of my ssh servers. It is even in the
> sshd_config file created by the PakSecured install routine.
>
> The first one below (IPv4 addr) binds the SSHD only to listen on the
> internal IP address. The second can be used to bind an IPv6 address which
> this particular machine does not have.
>
> ListenAddress 192.168.x.y
> # ListenAddress ::
>
> netstat -an shows:
>
> tcp 0 0 192.168.x.y:22 0.0.0.0:* LISTEN
>
> Even though this machine has approximately 5 IPv4 addresses.
>
> Now as far as the USERS and hostnames I always compile SSH with
> tcpwrappers and use a hosts.allow file to permit only my appropriate
> remote IP addrs. This is true especially on externally facing SSH servers.
> Now on specific machines where paranoia is justified I use Ostiary to
> launch sshd with an even stricter lock set and creating a temporary
> hosts.allow within the jail location.
>
> That sshd_config contains:
>
> AllowUsers my_specific_special_user
> AllowGroups my_specific_special_group
>
> as well as (created on the fly)
>
> ListenAddress a.b.c.d:efghi
>
> which as you will note specifies a port # (BTW the actual script creates a
> port based on a passed in variable...) and also creates iptables rules
> along with the hosts.allow - perhaps overkill but...
>
> Now just to piss off evangelists I only use Protocol 1 in my ssh servers
> but I also use an ancient patched sshd of my own to work with that... ;-}
>
> Anyway - I recommend using ListenAddress on any server where you can be
> sure of the IP addrs otherwise the bindings can get messy. (yes I have
> hacked up a DHCP version of this but that is a weirder usage...)
>
> Additionally the binding in the first example was an address on dummy0
> where I can use extensive crypto tunnels to produce a virtual network
> structure.
>
> Hope this helps... <flame bait> SSH is a very powerful software package
> even though the BSD people developed it... </flame bait>
>
> mgm
>
> </delurk>
>
> On Fri, 6 Nov 2009, dan at miniarpa.net wrote:
>
> <snipped stuff about some kind of linux box running web servers>
>
>> Thanks,
>> Dan
>
>
> --------------------------------------------------
> Matthew G. Marsh
> Special Email Addr for OLUG ;-}
> Phone: (402) 932-7250
> Email: olug4mgm at paktronix.com
> WWW: http://www.paksecured.org
> --------------------------------------------------
> _______________________________________________
> OLUG mailing list
> OLUG at olug.org
> https://lists.olug.org/mailman/listinfo/olug
>
i am not smart enough to modify protocol 1 to be safe.
Simpler methods are outside of sshd such as "port knocking" or
tinc-vpn or another p2p vpn.
With tinc, you could tell your sshd to only bind to a vpn based ip.
Only hosts in the vpn can even see the ip address, but that just
moves the hole in your firewall from sshd to a vpn port. i have a
dream of using dynamic dns on a tinc only network. the tinc only dns
would store the dynamic ports opened for each node so everybody can be
behind a nat but reachable.
More information about the OLUG
mailing list