Restrict SSH Access to a Specific Hostname

ssh

So here's the problem:

I have a single server with multiple hostnames, meaning I have A records example.com and *.example.com pointing to the server's ip-address
I want to limit incoming ssh connections to a specific hostname, that is I want to allow only logins to user@secret.example.com, and disallow login attempts using user@ip-address or user@example.com

The man page from sshd_config has the following for ListenAddress:

Specifies the local addresses sshd(8) should listen on.  
The following forms may be used:

ListenAddress host|IPv4_addr|IPv6_addr
ListenAddress host|IPv4_addr:port
ListenAddress [host|IPv6_addr]:port

which seems to indicate that sshd has the ability to restrict itself to a a specific hostname. However I've tried ListenAddress secret.example.com:22, but after restarting sshd that doesn't seem to add any restrictions based on hostname used.

man sshd_config doesn't seem to show any other options in that vein.

Is there something I'm missing, or does sshd simply not have that ability?

Best Answer

There is no such thing as a "DNS" connection. Once the client gets an IP, it can ONLY make a TCP/IP connection. The server only sees IPs, so it has no idea what name the client used to find the server.

The reason we have website Virtual hosts is because the client transmits a header asking for a specific host. In fact, virtual hosts didn't work with SSL until SSL(TLS) was modified to allow "Server Name Indication" during the initial connection.

For "virtual hosts" to work with SSH, it would need a way for the client to transmit the hostname upon connection. But even if SSH supported such a feature, you're adding zero security by requiring a specific hostname. The reason is that sshd must decrypt the atacker's packet to run the filter. As long as you disable SSH passwords, there's little difference to decrypting the attacker's packet to compare with your SSH key.

If you don't want to be scanned, move the SSH port and/or install fail2ban. If you're really paranoid, you can install a port knocker that "hides" your open port from the casual scanner and/or use iptables to whitelist IP addresses.

Related Solutions

SSH SFTP – Is It Possible to Use rsync Over SFTP Without an SSH Shell?

Unfortunately not directly. rsync requires a clean link with a shell that will allow it to start the remote copy of rsync, when run this way.

If you have some way of running long-lived listening processes on the host you could try starting rsync manually listening for connections on a non-privileged port, but most techniques for doing that would require proper shell access via SSH too, and it relies on the hosts firewall arrangements letting connections in on the port you chose (and the host having rsync installed in the first place). Running rsync as a publicly addressable service (rather than indirectly via SSH or similar) is not generally recommended for non-public data though.

If you host allows scripting in PHP or similar and does not have it locked down so extra processes can not be execed by user scripts, then you could try starting rsync in listening mode that way. If your end is connectible (you are running SSH accessible to the outside world) you could try this in reverse - have a script run rsync on the server but instead of listening for incoming connections have it contact your local service and sync that way. This still relies on rsync actually being installed on the host which is not a given, or that you can upload a working copy, but does not have the security implications of running an rsync daemon in a publicly addressable fashion and talking to it over an unencrypted channel.

Messing around as described above may be against the hosts policies though, even if it works at all, and could get you kicked off. You are better off asking if a full shell can be enabled for that account and either abandoning rsync for that host or abandoning that host and moving elsewhere if they will not do that.

Ssh – How to automate SSH login with password

Don't use a password. Generate a passphrase-less SSH key and push it to your VM.

If you already have an SSH key, you can skip this step… Just hit Enter for the key and both passphrases:

$ ssh-keygen -t rsa -b 2048
Generating public/private rsa key pair.
Enter file in which to save the key (/home/username/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/username/.ssh/id_rsa.
Your public key has been saved in /home/username/.ssh/id_rsa.pub.

Copy your keys to the target server:

$ ssh-copy-id id@server
id@server's password:

Now try logging into the machine, with ssh 'id@server', and check-in:

.ssh/authorized_keys

Note: If you don't have .ssh dir and authorized_keys file, you need to create it first

to make sure we haven’t added extra keys that you weren’t expecting.

Finally, check to log in…

$ ssh id@server

id@server:~$

You may also want to look into using ssh-agent if you want to try keeping your keys protected with a passphrase.

Best Answer

Related Solutions

SSH SFTP – Is It Possible to Use rsync Over SFTP Without an SSH Shell?

Ssh – How to automate SSH login with password

Related Topic