是否有任何选项可以限制来自特定子网的特定用户的 SSH,例如:[电子邮件受保护]/24 需要禁用。
答案1
是的,它就是在手册中:
AllowUsers
This keyword can be followed by a list of user name
patterns, separated by spaces. If specified, login is
allowed only for user names that match one of the patterns.
Only user names are valid; a numerical user ID is not
recognized. By default, login is allowed for all users.
If the pattern takes the form USER@HOST then USER and HOST
are separately checked, restricting logins to particular
users from particular hosts. HOST criteria may
additionally contain addresses to match in CIDR
address/masklen format. The allow/deny users directives
are processed in the following order: DenyUsers,
AllowUsers.
....但是我个人不会使用这个 - 这将是一个 PITA 来维护不断变化的用户列表。恕我直言,更好的方法是将匹配块与用户组一起使用......
Match 192.168.0.10/24
AllowGroups PrivateSubnetSshUsers
Match 0.0.0.0/0
AllowGroups SshUsers
顺便说一句,允许通过 ssh 直接访问 root 帐户通常被认为是一种反模式。 Openssh 甚至有特定的配置选项来防止这种情况发生。
(您可能会考虑的其他内容是“AllowGroups root / AllowGroups !root”或“PermitRootLogin yes/PermitRootLogin no”以及匹配块)。