Seguridad en SSH

Julio Pacheco tj en vtr.net
Mar Mar 20 12:21:40 CLT 2007 

hgatica escribió:
> On Tue, 20 Mar 2007 10:45:36 -0400, Ricardo Utreras Estrella wrote
>> Edison Caprile Pons escribió:
>>> Hola lista:
>>>
>>>  
>>>
>>> Como puedo restringir el acceso a servidor SSH a solo una IP publica,
>>> conocida, y bloquear el resto????...
>>>
>>>  
>>>
>>> Muchas gracias.
>>>
>>>  
>>>
>>> Atte.
>>>
>>> Edison.
>> Con "IP conocida" te refieres a IP fija??
>> Si es asi, iptables es tu amigo.
>>
>> -- 
>> Atte. Ricardo Utreras Estrella
> 
> Una miradita a man sshd_config
> 
> ListenAddress
> Specifies the local addresses sshd should listen on.  The following forms 
> may be used:
> 
> ListenAddress host|IPv4_addr|IPv6_addr
> ListenAddress host|IPv4_addr:port
> ListenAddress [host|IPv6_addr]:port
> 
> Iptables tambien puede servir , pero por algo colocaron esa directiva ahí.
> 
> Saludos.
> 
> 

Si te fijas, ListenAddress "especifica las direcciones _locales_ en las que sshd
_escucha_". Por ejemplo, supongamos este caso:

tesla:~# ifconfig
lo        Link encap:Local Loopback
           inet addr:127.0.0.1  Mask:255.0.0.0
           inet6 addr: ::1/128 Scope:Host
           UP LOOPBACK RUNNING  MTU:16436  Metric:1
           RX packets:1049266 errors:0 dropped:0 overruns:0 frame:0
           TX packets:1049266 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:0
           RX bytes:850854949 (811.4 MiB)  TX bytes:850854949 (811.4 MiB)

eth0      Link encap:Ethernet  HWaddr 00:00:1A:19:19:EF
           inet addr:192.168.0.251  Bcast:192.168.0.255  Mask:255.255.255.0
           inet6 addr: fe80::200:1aff:fe19:19ef/64 Scope:Link
           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
           RX packets:6685465 errors:0 dropped:0 overruns:0 frame:0
           TX packets:5911510 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:1000
           RX bytes:4615934803 (4.2 GiB)  TX bytes:4622121986 (4.3 GiB)
           Interrupt:31

eth1      Link encap:Ethernet  HWaddr 00:00:1A:19:19:F0
           inet addr:172.16.188.1  Bcast:172.16.188.255  Mask:255.255.255.0
           inet6 addr: fe80::250:56ff:fec0:1/64 Scope:Link
           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
           RX packets:0 errors:0 dropped:0 overruns:0 frame:0
           TX packets:5 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:1000
           RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

eth2      Link encap:Ethernet  HWaddr 00:00:1A:19:19:F1
           inet addr:172.16.100.1  Bcast:172.16.100.255  Mask:255.255.255.0
           inet6 addr: fe80::250:56ff:fec0:8/64 Scope:Link
           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
           RX packets:0 errors:0 dropped:0 overruns:0 frame:0
           TX packets:5 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:1000
           RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)


Si no se define ListenAddress, sshd responde en 192.168.0.251, 172.16.188.1 y 172.16.188.1

En cambio, si se define ListenAddress 192.168.0.251, ocurre lo siguiente:

julio en gauss$ ssh 192.168.0.251
The authenticity of host '172.16.188.1 (172.16.188.1)' can't be established.
RSA key fingerprint is f1:71:a1:05:a2:28:f3:25:be:ae:f9:65:53:84:23:b9.
Are you sure you want to continue connecting (yes/no)?yes
Password:

julio en faraday$ ssh 172.16.188.1
ssh: connect to host 192.168.0.233 port 22: Connection refused

julio en oersted$
ssh: connect to host 192.168.0.233 port 22: Connection refused

Más información sobre la lista de distribución Linux