AllowUser has problem for ssh

[callmanager]

Hello everyone, I have a server that I am installing FreeBSD 9 on, and my sever has valid IP, and every time from all of world i get an ssh attack.

I want that only one IP be able to ssh to my server. I edited the sshd config file on /etc/ssh/sshd_config and added a line:

#AllowUsers mamadotal@192.168.1.32

But from the other computer I am able to ssh to that server. All I want is that only one IP be able to ssh to my server, only one user from that IP be able to ssh to my server.

What should I do?

 

[gkontos]

http://www.openbsd.org/faq/pf/

 

[callmanager]

I don't understand your post, can you explain it to me?

 

[gkontos]

Yes, use a firewall to restrict ssh access to certain IP addresses.

 

[DutchDaemon]

And if you want to use sshd_config for it, it would probably be beneficial to remove the hash sign in front of the directive.

 

[callmanager]

And if you want to use sshd_config for it, it would probably be beneficial to remove the hash sign in front of the directive.

I use AllowUser without "#" sign but that has problem yet, I mean other computer can ssh to my SERVER, why? I write : "AllowUsers mamadotal@192.168.1.32"

on this file : /etc/ssh/sshd_config


But other computer still can ssh to my server ~!!!

 

[bbzz]

You should be running basic firewall (pf) on your ssh server anyway.

Do you know how to set it up?

 

[callmanager]

You should be running basic firewall (pf) on your ssh server anyway.

Do you know how to set it up?

No I don't know, would you like to help me?

 

[bbzz]

Usually, this works with me saying, "have you read FreeBSD handbook on pf firewall first?"
Then, you should check out link which was posted in 2nd post on how to write your rules.


But since I'm in a good mood today, write down your network specifics and I (or maybe somebody else) will write down rules for you.

 

[callmanager]

Usually, this works with me saying, "have you read FreeBSD handbook on pf firewall first?"
Then, you should check out link which was posted in 2nd post on how to write your rules.


But since I'm in a good mood today, write down your network specifics and I (or maybe somebody else) will write down rules for you.

No, I want to config my SSH configuration to do this, I heard I can do it with config sshd_config

 

[phoenix]

Start the ssh daemon on the server manually, in the foreground, with -d specified a bunch of times:
# sshd -dd

Then connect to it from the remote host.

Post the output here.

 

[Remington]

Use authorized_keys in .ssh folder in addition to pf firewall.

 

[redw0lfx]

So from reading the OPs original question and the responses, I think the issue is not that SSHD allows the user to login, but that it provides an authentication prompt to anyone connecting. callmanager, correct me if I am wrong with the following assumptions, but this might work for you:

1) sshd_config and AllowUsers directive is used for restricting the user that can authenticate and actually log into the system, not for restricting who can initiate an authentication request.

2) In order to block authentication request (ie: do not give a password prompt and just flat out deny the connection request), you must either be using a firewall to restrict by IP address like pf or you must edit your /etc/hosts.allow file and enter the IP address you would like to allow or block.

For example, in /etc/hosts.allow you could enter:

SSHD : 192.168.1.32 : ALLOW
SSHD : ALL : DENY

Then, in /etc/ssh/sshd_config enter:

AllowUsers mamadotal@192.168.1.32
DenyUsers *

The first configurations would only allow IP 192.168.1.32 to initiate a connection with SSHD, and refuse all connection attempts for all other IP. The second configuration will make sure that the user authenticating is mamadotal and coming from IP 192.168.1.32, or deny the authorization request.

 

[SirDice]

Hello everyone, I have a server that I am installing FreeBSD 9 on, and my sever has valid IP, and every time from all of world i get an ssh attack.

Use something like security/sshguard-pf.