Re: bar root login from any but 192.168.0/16

From: Nico Kadel-Garcia (nkadel_at_comcast.net)
Date: 08/14/04

  • Next message: chad_at_bluestream.org: "Re: Win XP SP2 alternate localhost broken"
    Date: Sat, 14 Aug 2004 17:48:08 -0400
    
    

    "Harry Putnam" <reader@newsguy.com> wrote in message
    news:m3wu03vtx8.fsf@newsguy.com...
    > How can I bar root login via ssh but only from somewhere besides my
    > local network?
    >
    > My ssh server sits behind a nat'ed firewall. I'd like to keep any
    > root logins from the internet from happening but allow them from
    > my.local.net.

    The easy way is to use a different port for external, Internet based logins
    by using a separate init script with a separate sshd_config file, and if you
    wish to allow user access from the Internet at large, port-forward from your
    external NAT'ed IP address and port (such as the standard SSH port 22) to
    your internal server on the alternative port. This will be invisible to your
    users, protect your root accessible port from external access, and is very
    simple to configure.


  • Next message: chad_at_bluestream.org: "Re: Win XP SP2 alternate localhost broken"

    Relevant Pages

    • Re: SSH safety
      ... SSH safety (J.L. ... FC3 missing KDE menu items ... I was wondering how safe it is to open the ssh port up to the internet. ...
      (Fedora)
    • Re: OpenSSH 3.4p1 Trouble on SCO 5.0.5?
      ... and I mean *NO* business having any direct exposure to the Internet. ... If you have to run services like SSH to it, it should be through an external firewall with some sort of logging, and preferably not run popular services like SSH on port 22. ... It looks like normal port scanning by crackers. ...
      (comp.unix.sco.misc)
    • Re: ssh library attack
      ... > There is no root login over ssh on my box, ... Perhaps I could just change to some obsecure port ... change the SyslogFacility and LogLevel in /etc/ssh/sshd_config to ...
      (comp.os.linux.networking)
    • Re: Tunnneling?
      ... >> might be able to do something temporarily using ssh and port forwarding. ... > I don't have a machine with a real IP on the internet on my network. ... > That could theoretically be set-up for a tunnel or something like that... ...
      (comp.os.linux.networking)
    • Re: iptables forwarding question
      ... > firewall for my cable internet. ... > currently have a small iptables setup going to forward all the machine ... You want to be able to use regular SSH to connect to any one of these ... SSH uses port 22 - of which you have only one. ...
      (comp.os.linux.networking)