1.在/etc/ssh/sshd_config文件配置限制
在sshd_config文件中设置允许登录的用户及IP,在最后一行增加allowusers 允许的登录名@允许的IP 允许的登录名@允许的IP,多个用户名及IP中间用空格隔开.同一个IP可以允许多个用户,同一个用户也可以允许多个IP
例如:allowusers root@255.255.255.255 root@255.255.255.254 user@255.255.255.253 user@255.255.255.255
UseDNS no
AddressFamily inet
PermitRootLogin no
SyslogFacility AUTHPRIV
PasswordAuthentication no
allowusers root@255.255.255.255 root@255.255.255.254 user@255.255.255.253 user@255.255.255.255
修改完sshd_config配置文件后需要重启下ssh服务
centos7重启ssh服务指令:
systemctl restart sshd
或者: systemctl restart sshd.service
2.在/etc/host.allow和/etc/host.deny添加限制
在限制IP方面涉及到/etc/host.allow和/etc/host.deny, 允许连接和不允许连接的IP,一般我们都会将/etc/host.deny中增加sshd:all:deny不允许所有用户连接,然后在/etc/host.allow文件中配置允许连接的IP.当hosts.allow和 host.deny相冲突时,以hosts.allow设置为准.
设置如下:
hosts.deny文件:
# hosts.deny This file contains access rules which are used to
# deny connections to network services that either use
# the tcp_wrappers library or that have been
# started through a tcp_wrappers-enabled xinetd.
#
# The rules in this file can also be set up in
# /etc/hosts.allow with a 'deny' option instead.
#
# See 'man 5 hosts_options' and 'man 5 hosts_access'
# for information on rule syntax.
# See 'man tcpd' for information on tcp_wrappers
#
sshd:all:deny
hosts.allow文件:
# hosts.allow This file contains access rules which are used to
# allow or deny connections to network services that
# either use the tcp_wrappers library or that have been
# started through a tcp_wrappers-enabled xinetd.
#
# See 'man 5 hosts_options' and 'man 5 hosts_access'
# for information on rule syntax.
# See 'man tcpd' for information on tcp_wrappers
#
sshd:47.*.*.23:allow
sshd:47.*.*.87:allow
修改完成后需要重启下xinetd服务
systemctl restart xinetd
注:在 /etc/ssh/sshd_config和/etc/host.allow和/etc/host.deny中都设置了允许的IP,则会取两者的并集,也就是说在sshd_config设置的allowusers和hosts.allow中只要有设置对应IP,该IP就可以访问。
感谢作者风下森林的分享!!!