基于Linux下限制指定用户或IP地址通过SSH登录（访问控制）

原创

wx60c1f94c784b4 2021-06-11 11:20:32 ©著作权

文章标签 Linux系统 Linux教程 文章分类 运维

©著作权归作者所有：来自51CTO博客作者wx60c1f94c784b4的原创作品，请联系作者获取转载授权，否则将追究法律责任

环境介绍：

ssh主机：192.168.2.128

客户端：192.168.2.129

客户端：192.168.2.130

IP限制：

针对指定的IP地址进行限制SSH登录。

1.修改hosts.allow主机允许配置文件，添加允许地址

[root@localhost ~]# vim /etc/hosts.allow
...
sshd:192.168.2.130:allow       //添加只允许连接的IP地址
sshd:192.168.3.0/24:allow      //允许3.0/24这个网段内的IP连接

2.修改hosts.deny主机拒绝配置文件

[root@localhost ~]# vim /etc/hosts.deny
...
sshd:ALL       //这里的ALL表示除了上面文件中允许的，其他的IP地址都拒绝

同时设置上述两个文件时，hosts.allow文件中规则的优先级更高，参考上述两个文件进行设置时，服务器只允许192.168.2.130这个IP地址以及192.168.3.0/24这个IP地址段通过SSH进行登录，其他的IP都会被拒绝SSH登录。

3.重启ssh服务

[root@localhost ~]# systemctl restart sshd

4.测试ssh连接

[root@test2 ~]# ifconfig ens33
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.2.129  netmask 255.255.255.0  broadcast 192.168.2.255
...
        
[root@test2 ~]# ssh root@192.168.2.128
ssh_exchange_identification: read: Connection reset by peer

[root@test2 ~]# ssh -v root@192.168.2.128
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 58: Applying options for *
debug1: Connecting to 192.168.2.128 [192.168.2.128] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4
ssh_exchange_identification: read: Connection reset by peer

用户限制

限制某个指定用户通过SSH登录。

1.编辑/etc/ssh/sshd_config配置文件

增加类似如下的Deny Users和AllowUsers等选项，拒绝/只允许指定用户通过SSH登录。然后重启SSH服务即可。

AllowUsers：允许某个用户、某些用户能登录，其它都不能登录
AllowGroups：允许某个组、某些组能登录，其它都不能登录
DenyUsers：拒绝某个用户、某些用户登录，其它都能登录
DenyGroups：拒绝某个组、某些组登录，其它都能登录

如：
AllowUsers lisi test@192.168.2.130
//允许所有网段的lisi用户和192.168.2.130的test用户通过SSH登录系统，其他的都不允许。

AllowUsers test@192.168.2.*
//允许192.168.2.0网段的test用户通过SSH登录系统。

DenyUsers zhangsan lisi
//拒绝zhangsan、lisi用户通过SSH登录系统。

[root@localhost ~]# vim /etc/ssh/sshd_config
...
AllowUsers root@192.168.2.129     //只允许192.168.2.129的root用户登录

[root@localhost ~]# systemctl restart sshd

2.测试只允许192.168.2.129的root用户通过ssh连接主机

[root@test2 ~]# ifconfig ens33
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.2.129  netmask 255.255.255.0  broadcast 192.168.2.255
        inet6 fe80::6625:cc22:2268:e1f  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:1a:8b:61  txqueuelen 1000  (Ethernet)
        RX packets 5466745  bytes 2275431218 (2.1 GiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 4420539  bytes 1082931575 (1.0 GiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

[root@test2 ~]# ssh root@192.168.2.128
Last failed login: Thu Jun 18 16:23:30 CST 2020 from gateway on ssh:notty
There was 1 failed login attempt since the last successful login.
Last login: Thu Jun 18 16:23:21 2020 from 192.168.2.129
   //成功登录
--------------------------------------------------
[root@test3 ~]# ifconfig ens33
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.2.130  netmask 255.255.255.0  broadcast 192.168.2.255
        inet6 fe80::2c27:a02c:731a:2219  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:53:71:a2  txqueuelen 1000  (Ethernet)
        RX packets 140126  bytes 20349622 (19.4 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 31280  bytes 2739647 (2.6 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

[root@test3 ~]# ssh root@192.168.2.128
root@192.168.2.128's password:
Permission denied, please try again.
   //登录失败