Deny ssh access linux

How to Enable/Disable SSH access for a particular user or user group in Linux

Based on your organization standard policy, you may need to allow only the list of users or user groups who are allowed to access the Linux system.

How to achieve this? Which is the simple and best way?

There are many ways available to perform this.However, we need to go with simple and easy method.

It can be done by making the necessary changes in /etc/ssh/sshd_config file.

In this article we will show you, how to perform this in details.

Why are we doing this? due to security reason. Navigate to the following URL to know more about openSSH usage.

What Is SSH?

openssh stands for OpenBSD Secure Shell. Secure Shell (ssh) is a free open source networking tool which allow us to access remote system over an unsecured network using Secure Shell (SSH) protocol.

It’s a client-server architecture. It handles user authentication, encryption, transferring files between computers and tunneling.

These can be accomplished via traditional tools such as telnet or rcp, these are insecure and use transfer password in cleartext format while performing any action.

How to Allow a User to access SSH in Linux?

We can allow/enable the ssh access for a particular user or list of the users using the following method.

If you would like to allow more than one user then you have to add the users with space in the same line.

To do so, just append the following value into /etc/ssh/sshd_config file.

In this example, we are going to allow ssh access for user3 .

# echo "AllowUsers user3" >> /etc/ssh/sshd_config

You can double check this by running the following command.

# cat /etc/ssh/sshd_config | grep -i allowusers AllowUsers user3

That’s it. Just bounce the ssh service and see the magic.

# systemctl restart sshd # service restart sshd

Simply open a new terminal or session and try to access the Linux system with different user. For example user2 is not allowed for SSH login and will be getting an error message as shown below.

# ssh [email protected] [email protected]'s password: Permission denied, please try again.

Mar 29 02:00:35 CentOS7 sshd[4900]: User user2 from 192.168.1.6 not allowed because not listed in AllowUsers Mar 29 02:00:35 CentOS7 sshd[4900]: input_userauth_request: invalid user user2 [preauth] Mar 29 02:00:40 CentOS7 unix_chkpwd[4902]: password check failed for user (user2) Mar 29 02:00:40 CentOS7 sshd[4900]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.6 user=user2 Mar 29 02:00:43 CentOS7 sshd[4900]: Failed password for invalid user user2 from 192.168.1.6 port 42568 ssh2

At the same time user3 is allowed to login into the system because it’s in allowed users list.

# ssh [email protected] [email protected]'s password: [[email protected] ~]$

Mar 29 02:01:13 CentOS7 sshd[4939]: Accepted password for user3 from 192.168.1.6 port 42590 ssh2 Mar 29 02:01:13 CentOS7 sshd[4939]: pam_unix(sshd:session): session opened for user user3 by (uid=0)

How To Block Users To Access SSH In Linux?

We can block/disable the ssh access for a particular user or list of the users using the following method.

If you would like to disable more than one user then you have to add the users with space in the same line.

To do so, just append the following value in /etc/ssh/sshd_config file. In this example, we are going to disable ssh access for user1 .

# echo "DenyUsers user1" >> /etc/ssh/sshd_config

You can double check this by running the following command.

# cat /etc/ssh/sshd_config | grep -i denyusers DenyUsers user1

It done . Just bounce the ssh service and see the magic.

# systemctl restart sshd # service restart sshd

Simply open a new terminal or session and try to access the Linux system with blocked user. Yes, user1 is in blocked users list. So, you will be getting an error message as shown below when you are try to login.

# ssh [email protected] [email protected]'s password: Permission denied, please try again.

Mar 29 01:53:42 CentOS7 sshd[4753]: User user1 from 192.168.1.6 not allowed because listed in DenyUsers Mar 29 01:53:42 CentOS7 sshd[4753]: input_userauth_request: invalid user user1 [preauth] Mar 29 01:53:46 CentOS7 unix_chkpwd[4755]: password check failed for user (user1) Mar 29 01:53:46 CentOS7 sshd[4753]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.6 user=user1 Mar 29 01:53:48 CentOS7 sshd[4753]: Failed password for invalid user user1 from 192.168.1.6 port 42522 ssh2

How to Allow user groups to Access SSH in Linux?

We can allow/grant the ssh access for a particular group or list of groups using the following method.

If you would like to allow more than one group then you have to add the groups with space in the same line.

To do so, just append the following value in /etc/ssh/sshd_config file. In this example, we are going to disable ssh access for 2g-admin group.

# echo "AllowGroups 2g-admin" >> /etc/ssh/sshd_config

You can double check this by running the following command.

# cat /etc/ssh/sshd_config | grep -i allowgroups AllowGroups 2g-admin

Run the following command to know the list of the users belongs to this group.

# getent group 2g-admin 2g-admin:x:1005:user1,user2,user3

That’s it. Just bounce the ssh service and see the magic.

# systemctl restart sshd # service restart sshd

Yes, user3 is allowed to login into the system because user3 belongs to 2g-admin group.

# ssh user1@192.168.1.4 [email protected]'s password: [[email protected] ~]$

Mar 29 02:10:21 CentOS7 sshd[5165]: Accepted password for user1 from 192.168.1.6 port 42640 ssh2 Mar 29 02:10:22 CentOS7 sshd[5165]: pam_unix(sshd:session): session opened for user user1 by (uid=0)

Yes, user2 is allowed to login into the system because user2 belongs to 2g-admin group.

# ssh [email protected] [email protected]'s password: [[email protected] ~]$

Mar 29 02:10:38 CentOS7 sshd[5225]: Accepted password for user2 from 192.168.1.6 port 42642 ssh2 Mar 29 02:10:38 CentOS7 sshd[5225]: pam_unix(sshd:session): session opened for user user2 by (uid=0)

When you try to login into the system with other users which are not part of this group then you will be getting an error message as shown below.

# ssh [email protected] [email protected]'s password: Permission denied, please try again.

Mar 29 02:12:36 CentOS7 sshd[5306]: User ladmin from 192.168.1.6 not allowed because none of user's groups are listed in AllowGroups Mar 29 02:12:36 CentOS7 sshd[5306]: input_userauth_request: invalid user ladmin [preauth] Mar 29 02:12:56 CentOS7 unix_chkpwd[5310]: password check failed for user (ladmin) Mar 29 02:12:56 CentOS7 sshd[5306]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.6 user=ladmin Mar 29 02:12:58 CentOS7 sshd[5306]: Failed password for invalid user ladmin from 192.168.1.6 port 42674 ssh2

How to block user group to Access SSH in Linux?

We can block/disable the ssh access for a particular group or list of groups using the following method.

If you would like to disable more than one group then you need to add the group with space in the same line.

To do so, just append the following value in /etc/ssh/sshd_config file.

# echo "DenyGroups 2g-admin" >> /etc/ssh/sshd_config

You can double check this by running the following command.

# # cat /etc/ssh/sshd_config | grep -i denygroups DenyGroups 2g-admin

# getent group 2g-admin 2g-admin:x:1005:user1,user2,user3

That’s it. Just bounce the ssh service and see the magic.

# systemctl restart sshd # service restart sshd

Yes user3 isn’t allowed to login into the system because not part of 2g-admin group which is in Denygroups.

# ssh [email protected] [email protected]'s password: Permission denied, please try again.

Mar 29 02:17:32 CentOS7 sshd[5400]: User user1 from 192.168.1.6 not allowed because a group is listed in DenyGroups Mar 29 02:17:32 CentOS7 sshd[5400]: input_userauth_request: invalid user user1 [preauth] Mar 29 02:17:38 CentOS7 unix_chkpwd[5402]: password check failed for user (user1) Mar 29 02:17:38 CentOS7 sshd[5400]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.6 user=user1 Mar 29 02:17:41 CentOS7 sshd[5400]: Failed password for invalid user user1 from 192.168.1.6 port 42710 ssh2

Anyone can login into the system except 2g-admin group. Hence, ladmin user is allowed to login into the system.

# ssh [email protected] [email protected]'s password: [[email protected] ~]$

Mar 29 02:19:13 CentOS7 sshd[5432]: Accepted password for ladmin from 192.168.1.6 port 42716 ssh2 Mar 29 02:19:13 CentOS7 sshd[5432]: pam_unix(sshd:session): session opened for user ladmin by (uid=0)

Источник

Limit SSH Access on Linux

Allow or deny SSH? You may want to provide a secure and limited SSH access to your public hosts, using SSH keys. Here’s a simple a way to do it.

Julian Balog

Care for a better security with SSH?

If you do, perhaps you don’t want to allow root SSH access to your public hosts, facing the world. Instead you’d prefer the use of SSH keys for select users, except root . Here’s a quick guide on how to set this up.

These instructions apply for Ubuntu 18.04 and can easily be adapted for the vast majority of Linux platforms.

Let’s start with installing openssh-server on your remote Linux host:

sudo apt-get install -y openssh-server 

Once installed, you can verify the status of the SSH service with:

A running status of the SSH service should yield an output similar to:

● ssh.service - OpenBSD Secure Shell server Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enab Active: active (running) since Thu 2019-01-31 23:02:43 EST; 15s ago Main PID: 2563 (sshd) Tasks: 1 (limit: 2321) CGroup: /system.slice/ssh.service └─2563 /usr/sbin/sshd -D Jan 31 23:02:43 ginger systemd[1]: Starting OpenBSD Secure Shell server. Jan 31 23:02:43 ginger sshd[2563]: Server listening on 0.0.0.0 port 22. Jan 31 23:02:43 ginger sshd[2563]: Server listening on :: port 22. Jan 31 23:02:43 ginger systemd[1]: Started OpenBSD Secure Shell server. 

By default, the local user accounts on your remote Linux host (including root ) are allowed SSH access, using their system credentials. Let’s assume you want to enable exclusive SSH access to user joe . This could be an existing account, or you can create it with:

sudo useradd -m -d /home/joe -s /bin/bash joe 

Set the password for user joe :

We can add joe to the sudoers and also to a custom ssh group (e.g. for users with SSH access):

sudo usermod -aG sudo,ssh joe 

Let’s give joe exclusive SSH access. Make the following change in the /etc/ssh/sshd-config file:

Alternatively we could enable exclusive SSH access to the ssh group:

#AllowUsers joe AllowGroups ssh 

Restart the SSH service to make changes effective:

Now for any other user, except joe (or users in the ssh group, if you chose the AllowGroups ssh alternative), the SSH login attempt would result in a permission error:

Permission denied, please try again. 

Let’s try to further secure SSH access and replace the SSH password authentication with public key authentication. For this you’ll need to generate a public/private key pair on the client machine used for SSH access. You may already have this key pair generated (check for the ~/.ssh/id_rsa and the ~/.ssh/id_rsa.pub files). Here’s the command to generate the key pair:

Replace NAME with the name of your local client machine, or anything you’d prefer to name your public key with. You can verify the newly generated public key with:

Next, copy the public key to your remote Linux host, targeted for SSH access. Keep in mind that at this time you still need to have password authentication enabled on your remote Linux host.

ssh-copy-id -i .ssh/id_rsa.pub joe@your_remote_host 

At this point you’ll be able to SSH into your remote Linux host without password authentication:

Finally, disable the SSH password authentication and enable the SSH public key authentication, on your remote Linux host. Make the following changes in /etc/ssh/sshd_config :

PasswordAuthentication no PubkeyAuthentication yes 

You have now SSH access limited to select users ( joe , or users in ssh group), using SSH keys for authentication.

Sign up for more like this.

Mastering Linux Administration

A comprehensive guide to installing, configuring, and maintaining Linux systems in the modern data center. Coming soon from Packt Publishing!

Kubernetes Secrets in MicroK8s

Deep dive into how secrets are managed and stored in MicroK8s, noting some of the related security concerns

Bash Magic — Word Frequency

Calculating the frequency of each word in a regular text file using Bash

Источник