Disable Network Interface for SSH

firewallnetworkingssh

In my linux machine, I have 10 network interfaces available like eth0, eth0.67, eth0.70, eth0.97 etc,.

When i run the command nc 160.48.249.170 22 to check, i get like below:

root@icon:~# nc 160.48.249.170 22
SSH-2.0-OpenSSH_8.2

In my system, eth0.97 is having inet as 160.48.249.170. So here SSH is listening on interface eth0.97.

Similar to above, SSH is listening on all available 10 interfaces. How to disable or enable one particular interface to listen on SSH?

In /etc/ssh/sshd_config, below was the configuration

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

But i changed as below to listen only one interface and restarted ssh.

#Port 22
#AddressFamily any
ListenAddress 160.48.199.186
#ListenAddress ::

But after above change also, ssh is listening on all interfaces

Best Answer

I would proceed as follows:

Modify your sshd configuration:

Edit the sshd configuration file, typically located at /etc/ssh/sshd_config.
Look for the option ListenAddress. By default, it's commented out (#ListenAddress).
Uncomment the line and add the IP address of your interface you want to use.

Configure your Firewall if applicable

Additionally, I would restrict SSH access using the system-firewall, I assume that you use UFW, but this should work with any firewall.

Deny all incoming traffic using sudo ufw default deny incoming (Note, that this blocks EVERYTHING, so make sure that you won't lose your connection to the server!)
Explicitly allow SSH traffic on your NIC (I assume it's eno0 for this example) sudo ufw allow OpenSSH on eno0 (Instead of OpenSSH you can also use your port, e.g. 22)

You could also tinker around with /etc/host.deny and /etc/hosts.allow but I'm not sure if you can define rules on interface level.

As I saw, that you already did step 1, and it didn't help you, I'd assume, that you didn't restart ssh correctly. Note that there are two different services:

ssh.service
sshd.service

The "difference" is explained here.

Maybe, there's something messed up. When you check the status of your server, you can see, since when it is running. So make sure, that your server really got restarted. (Note that I have an Alias for status to sudo systemctl status)

╭─user@host ~
╰─$ status sshd.service
● ssh.service - OpenBSD Secure Shell server
     Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled)
     Active: active (running) since Thu 2024-04-18 11:42:44 CEST; 7s ago
       Docs: man:sshd(8)
             man:sshd_config(5)
    Process: 686 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS)
   Main PID: 687 (sshd)
      Tasks: 1 (limit: 9255)
     Memory: 1.6M
        CPU: 63ms
     CGroup: /system.slice/ssh.service
             └─687 "sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups"

You can also test your SSH configruation using sudo sshd -t -f /etc/ssh/sshd_config. If there is no error, it won't complain and give no output.

Edit

I would like to refer here to @Martin's comment. It would be smart to look in /etc/ssh/sshd_config.d/ for other configuration files that might influence the behavior.

Whether the directory is taken into account can be seen from the line Include /etc/ssh/sshd_config.d/*.conf (should be at the top) in /etc/ssh/sshd_config. (This should be the default)

Note: The path can also be different. For example, Include /etc/ssh/example/example.conf would also include this file if the line is in sshd_conf.

Related Solutions

Linux:/sbin/dhclient to bind to a specific interface

DHCP by definition works by the client using the broadcast address to find all responding DHCP servers. It then chooses one of them (based on an algorithm, and AFAIK this is mostly to do with response times) and asks for an address. This address is then bound to the interface that is being configured.

Again, by definition, broadcasts are sent on all network interfaces. So, unless you are willing to write your own DHCP client (the sources are freely available), there is not much you can do about that.

However, you could use a different port. Read the man page for dhclient for details. This would then also require a DHCP server that listens on that port. The standard ISC DHCP server supports this with the -p option. Again, read the man page for dhcpd.

Ssh – How to automate SSH login with password

Don't use a password. Generate a passphrase-less SSH key and push it to your VM.

If you already have an SSH key, you can skip this step… Just hit Enter for the key and both passphrases:

$ ssh-keygen -t rsa -b 2048
Generating public/private rsa key pair.
Enter file in which to save the key (/home/username/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/username/.ssh/id_rsa.
Your public key has been saved in /home/username/.ssh/id_rsa.pub.

Copy your keys to the target server:

$ ssh-copy-id id@server
id@server's password:

Now try logging into the machine, with ssh 'id@server', and check-in:

.ssh/authorized_keys

Note: If you don't have .ssh dir and authorized_keys file, you need to create it first

to make sure we haven’t added extra keys that you weren’t expecting.

Finally, check to log in…

$ ssh id@server

id@server:~$

You may also want to look into using ssh-agent if you want to try keeping your keys protected with a passphrase.