We've already locked things down pretty well just by requiring that clients authenticate via key exchange, rather than by username and password. When we prohibit password authentication, the bad guys can do brute-force password attacks against us until the cows come home, and it won't do them any good. (Although, in truth, they'll just give up as soon as they find that password authentication has been disabled.) For an extra measure of security, we can also set up a couple of access control mechanisms that will allow only certain users, groups, or client machines to log in to an SSH server. These two mechanisms are as follows:
- Whitelists within the sshd_config file
- TCP Wrappers, via the /etc/hosts.allow and /etc/hosts.deny files
Okay, you're now saying, But what about firewalls? Isn't that a third mechanism that we can use? And yeah, you're right. But, we already covered firewalls in Chapters 3, Securing Your Server with a Firewall - Part 1, and Chapter 4, Securing Your Server with a Firewall - Part 2, so I won't repeat any of that here. But, at any rate, these are three ways of controlling access to your server. You can use all three of them together if you really want to, or you can just use one of them at a time. (It really depends on just how paranoid you really are.)
First, let's look at creating whitelists within sshd_config with a hands-on lab.