Differences

This shows you the differences between two versions of the page.

Link to this comparison view

wiki:infrastructure_tools:ssh:ssh-denygroups [2017/06/27 22:12] (current)
iggy.ttt@gmail.com created
Line 1: Line 1:
 +====== SSH DenyGroups ======
 +
 +===== Preface =====
 +
 +This option will provide possibility for management of access for Users that are connecting to your server from particular IP.  \\
 +\\
 +In this way it's possible to limit access on application level.\\
 +So far I know it's not possible to do this kind of user access filter on firewall level.
 +
 +<note tip>
 +
 +However this is a useful option, but it will not replace properly configured firewall on your server.
 +
 +</​note>​
 +===== DenyGroups Configuration =====
 +
 +==== Configuration file ====
 +
 +Location: “**/​etc/​ssh/​sshd_config**”\\
 +I personally prefer to put this rules at end of the file to make it readable.
 +
 +==== DenyGroups - Description ====
 +
 +This keyword can be followed by a list of user name patterns, separated by spaces. Login is disallowed for user names that match one of the patterns. Only user names are valid; a numerical user ID is not recognized. ​ By default, login is allowed for all users. If the pattern takes the form USER@HOST then USER and HOST are separately checked, restricting logins to particular users from particular hosts. ​ The allow/deny directives are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups. ​ All of the specified user and group tests must succeed, before user is allowed to log in.\\
 +\\
 +See PATTERNS in ssh_config(5) for more information on patterns.//​\\
 +\\
 +//
 +
 +==== Configuration Example: ====
 +
 +You can put each user in to separate line
 +
 +<​code>​
 +DenyGroups group1 ​                # Deny access for "​group1"​ from ANY IP
 +DenyGroups group2 ​                # Deny acesss for "​group2"​ from ANY IP
 +</​code>​
 +
 +Or you can put all access rules in to one line
 +
 +<​code>​
 +DenyGroups group1 group2
 +</​code>​
 +
 +<note tip>
 +
 +To make sure that your change will be used at your system you'll need to restart after each update SSHD
 +
 +<​code>​
 +/​etc/​init.d/​sshd restart ​        # For example at CentOS 6
 +systemctl restart sshd           # At OS with systemd for example CentOS 7
 +</​code>​
 +
 +</​note>​
 +===== Example: =====
 +
 +==== Create user ====
 +
 +<​code>​
 +[root@SSH_SERVER ~]# adduser user1      # Create user1 account and group "​user1"​
 +[root@SSH_SERVER ~]# adduser user2      # Create user2 account and group "​user2"​
 +[root@SSH_SERVER ~]# passwd user1       # Set password for user1
 +...
 +[root@SSH_SERVER ~]# passwd user2       # Set password for user2
 +...
 +</​code>​
 +
 +==== Update SSHD Configuration ====
 +
 +<​code>​
 +[root@SSH_SERVER ~]# vi /​etc/​ssh/​sshd_config ​                                    # Put your rules at the end of this file
 +....
 +DenyGroups user1                 # Deny access for "​user1"​ from ANY IP
 +DenyGroups user2                 # Deny acesss for "​user2"​ from ANY IP
 +</​code>​
 +
 +==== Restart SSHD ====
 +
 +<​code>​
 +[root@SSH_SERVER ~]# systemctl restart sshd                                       # Restart SSHD so that the change will take efect
 +</​code>​
 +
 +==== Test to connect ====
 +
 +<​code>​
 +[user@SSH_CLIENT ~]$ ssh user1@SSH_SERVER ​           # Use rulle "​DenyGroups user1"
 +user1@SSH_SERVER'​s password:
 +Permission denied, please try again.
 +user1@SSH_SERVER'​s password:
 +Permission denied, please try again.
 +user1@SSH_SERVER'​s password:
 +Permission denied (publickey,​gssapi-keyex,​gssapi-with-mic,​password).
 +
 +[user1@SSH_SERVER ~]$ ssh user2@127.0.0.1 ​           # Use rulle "​DenyGroups user2"
 +root@127.0.0.1'​s password:
 +Permission denied, please try again.
 +root@127.0.0.1'​s password:
 +Permission denied, please try again.
 +root@127.0.0.1'​s password:
 +Permission denied (publickey,​gssapi-keyex,​gssapi-with-mic,​password).
 +</​code>​
  
Navigation
Print/export
QR Code
QR Code wiki:infrastructure_tools:ssh:ssh-denygroups (generated for current page)