So here's the problem:
- I have a single server with multiple hostnames, meaning I have A records
example.com
and*.example.com
pointing to the server's ip-address - I want to limit incoming ssh connections to a specific hostname, that is I want to allow only logins to user@secret.example.com, and disallow login attempts using user@ip-address or user@example.com
The man page from sshd_config has the following for ListenAddress
:
Specifies the local addresses sshd(8) should listen on.
The following forms may be used:
ListenAddress host|IPv4_addr|IPv6_addr
ListenAddress host|IPv4_addr:port
ListenAddress [host|IPv6_addr]:port
which seems to indicate that sshd has the ability to restrict itself to a a specific hostname. However I've tried ListenAddress secret.example.com:22
, but after restarting sshd that doesn't seem to add any restrictions based on hostname used.
man sshd_config
doesn't seem to show any other options in that vein.
Is there something I'm missing, or does sshd simply not have that ability?
Best Answer
There is no such thing as a "DNS" connection. Once the client gets an IP, it can ONLY make a TCP/IP connection. The server only sees IPs, so it has no idea what name the client used to find the server.
The reason we have website Virtual hosts is because the client transmits a header asking for a specific host. In fact, virtual hosts didn't work with SSL until SSL(TLS) was modified to allow "Server Name Indication" during the initial connection.
For "virtual hosts" to work with SSH, it would need a way for the client to transmit the hostname upon connection. But even if SSH supported such a feature, you're adding zero security by requiring a specific hostname. The reason is that sshd must decrypt the atacker's packet to run the filter. As long as you disable SSH passwords, there's little difference to decrypting the attacker's packet to compare with your SSH key.
If you don't want to be scanned, move the SSH port and/or install fail2ban. If you're really paranoid, you can install a port knocker that "hides" your open port from the casual scanner and/or use iptables to whitelist IP addresses.