如何限制ssh特定用户只能从一个 IP 地址登录?
我有一个在服务器中命名的用户foo,例如IP地址127.0.0.5(我的第一个服务器),并且我ssh仅通过公钥留下了其登录名。我只想从特定IP(这是我的另一台服务器)(例如 IP )向该用户授予访问登录权限127.0.0.6。
这怎么可能?
答案1
您可以更改 sshd 的配置,在/etc/ssh/sshd_config:
AllowUsers [email protected] [email protected] ....
您还可以选择某些用户只能使用某些身份验证方法:
Match User my_login
AuthenticationMethods publickey
但要小心这两点:在更改任何设置之前,您应该进行物理控制或非常小心。我建议您还查看手册页中的AllowUsersansAuthenticationMethods选项,以便更好地理解其含义,并最终了解您需要的其他选项和方法。
答案2
您可以设置防火墙并只允许某个 IP 连接到端口 22:
/etc/nftables.conf
#!/usr/sbin/nft -f
flush ruleset
table inet firewall {
chain inbound {
# By default, drop all traffic unless it meets a filter
# criteria specified by the rules that follow below.
type filter hook input priority 0; policy drop;
# Allow traffic from established and related packets.
ct state established,related accept
# Drop invalid packets.
ct state invalid drop
# Allow loopback traffic.
iifname lo accept
# Allow all ICMP and IGMP traffic, but enforce a rate limit
# to help prevent some types of flood attacks.
ip protocol icmp limit rate 4/second accept
ip6 nexthdr ipv6-icmp limit rate 4/second accept
ip protocol igmp limit rate 4/second accept
# Allow SSH on port 22 but only from 127.0.0.6
ip saddr 127.0.0.6 tcp dport 22 accept
}
chain forward {
# Drop everything (assumes this device is not a router)
type filter hook forward priority 0; policy drop;
}
chain outbound {
# Allow all outbound traffic
type filter hook output priority 0; policy accept;
}
}