iznobe
Posts: 426
Joined: Sun Feb 05, 2017 4:14 pm
Location: Avignon , FRANCE

[ SOLVED ] SSH configuration

Wed Jan 15, 2020 3:09 pm

Hello ,
i would like to connect in my pi 3 SSH server ONLY when i ' m on my local network !

i ' ve searched a lot , everybody need exactly the reverse :D .

i ' ve tested to edit the /etc/ssh/sshd_config file and put a listen adress , but this doesn't work after restarting ssh service ...

any help would be appreciated to do this .
Last edited by iznobe on Thu Jan 16, 2020 9:15 am, edited 1 time in total.

DirkS
Posts: 10447
Joined: Tue Jun 19, 2012 9:46 pm
Location: Essex, UK

Re: SSH configuration

Wed Jan 15, 2020 3:16 pm

So your SSH server is *not* in your local network?
If it *is* in the local network then by default you should not have any access from remote locations...

tpyo kingg
Posts: 908
Joined: Mon Apr 09, 2018 5:26 pm
Location: N. Finland

Re: SSH configuration

Wed Jan 15, 2020 3:28 pm

I would set the default to disallow access and then take a look at the Match directive for sshd_config and how it can use LocalAddress and/or Address to allow access when the machine is on the LAN. That is assuming your LAN is always the same you can annotate it in sshd_config using CIDR notation. It may take a bit of trial and error.

See "man sshd_config" and scroll down to "Match"

iznobe
Posts: 426
Joined: Sun Feb 05, 2017 4:14 pm
Location: Avignon , FRANCE

Re: SSH configuration

Wed Jan 15, 2020 3:36 pm

DirkS wrote:
Wed Jan 15, 2020 3:16 pm
So your SSH server is *not* in your local network?
If it *is* in the local network then by default you should not have any access from remote locations...
the SSH acces can be joined by internet and local ( or am i wrong ?)
my pi is in my local network , but it can be accessed by everyone on internet because i ' ve done a little site .

so i would like to limit adresses that can accces to my ssh server only at local network .

protosam
Posts: 40
Joined: Wed Jan 15, 2020 12:52 am

Re: SSH configuration

Wed Jan 15, 2020 3:53 pm

This is a non-issue on typical consumer routers. Your internal NAT would be only internal until you do port forwarding in the router config.

Out of curiosity, can you confirm if SSHD is even working at all for you? It sounds like you are just wanting to narrow it down to only bind one interface.

Regardless I just tested this on my Pi and it works... steps are:

Get the interface IP address:

Code: Select all

# ip a
Edit sshd_config to have ListenAddress

Code: Select all

# nano /etc/ssh/sshd_config
Restart SSHD to apply changes

Code: Select all

# systemctl restart sshd


Confirm changes

Code: Select all

# netstat -plnt

Troubleshooting
Make sure you don't have extra "ListenAddress" attributes defined

Code: Select all

# grep ListenAddress /etc/ssh/sshd_config
ListenAddress 192.168.86.61
#ListenAddress ::
Try logging out/in to the Pi to release any connections to old SSHD processes.

What output are you getting from netstat?

Code: Select all

# netstat -plnt
Have you checked the logs for ssh?

Code: Select all

# journalctl -l | grep sshd -i

iznobe
Posts: 426
Joined: Sun Feb 05, 2017 4:14 pm
Location: Avignon , FRANCE

Re: SSH configuration

Wed Jan 15, 2020 4:03 pm

in fact , i haven't done any redirection port in my router concerning SSH and port 22.

but i would like to be certain that it can't be accessed by other address that is not in my local network .

i'm not sure this is sense to do this ??

tpyo kingg
Posts: 908
Joined: Mon Apr 09, 2018 5:26 pm
Location: N. Finland

Re: SSH configuration

Wed Jan 15, 2020 7:50 pm

iznobe wrote:
Wed Jan 15, 2020 4:03 pm
in fact , i haven't done any redirection port in my router concerning SSH and port 22
You can look using a service like Can You See Me and check port 22 for your router:

https://canyouseeme.org/

The overwhelming odds are that unless you went out of your way to configure port forwarding that you cannot reach your Rasperry Pi from the outside. You can log into your router's administrative interface and verify that there is no forwarding.

Another way would be to have a machine outside your LAN use nmap or other scanner on your router, but that would achieve the same as Can You See Me only with more effort.

iznobe
Posts: 426
Joined: Sun Feb 05, 2017 4:14 pm
Location: Avignon , FRANCE

Re: SSH configuration

Thu Jan 16, 2020 9:05 am

Hello and thanks for advise and link to testing ports .

in fact , port 22 is not reachable by others ;)

it is really sufficient to protect pi against attack ? and others computers ?

in my router , i ' ve done a port forwarding , just in case :lol: , i ' ve checked too , and seem to be not reachable .

so it seems all be ok at this point and the SSH configuration seems to be not accessible for others so problem solved !



Now , on my pi , i' ve done a html site , of course it is open on pi local port 80 .
on the router , i've done a port forwarding too fo this service . it is working like a charm , but it is totaly open .

this site is just to command doors ti ti written in PHP

i protect acces with a username and password .
i would like to configure fail2ban with http acces to limite btuteforce attack on it .

i' ve tried more things but seems to not working :

Code: Select all

pi@raspberrypi:~ $ sudo fail2ban-client status
 Failed to access socket path: /var/run/fail2ban/fail2ban.sock. Is fail2ban running?
pi@raspberrypi:~ $
in the file /etc/fail2ban/jail.conf the first lines are :
YOU SHOULD NOT MODIFY THIS FILE
so i'm looking for a tutorial explaining how to create a specific conf file for the http service in directory /etc/fail2ban/jail.d/


during this time , i've taking a look at the dedicated fail2ban documentation .

Thanks to all for yours time and response !

TheoPA3DSS
Posts: 29
Joined: Fri Nov 09, 2018 9:27 am
Location: Netherlands

Re: [ SOLVED ] SSH configuration

Thu Jan 16, 2020 9:24 am

I solved this with iptables, just 2 lines of code

Code: Select all

sudo iptables -A INPUT -m state --state NEW,ESTABLISHED,RELATED --source 192.168.1.0/24 -p tcp --dport 22 -j ACCEPT
sudo iptables -A INPUT -m state --state NEW,ESTABLISHED,RELATED -p tcp --dport 22 -j DROP

Return to “Beginners”