Configuring access control with whitelists and TCP Wrappers

We've already locked things down pretty well just by requiring that clients authenticate via key exchange, rather than by username and password. When we prohibit password authentication, the bad guys can do brute-force password attacks against us until the cows come home, and it won't do them any good. (Although, in truth, they'll just give up as soon as they find that password authentication has been disabled.) For an extra measure of security, we can also set up a couple of access control mechanisms that will allow only certain users, groups, or client machines to log in to an SSH server. These two mechanisms are as follows:

  • Whitelists within the sshd_config file
  • TCP Wrappers, via the /etc/hosts.allow and /etc/hosts.deny files

Okay, you're now saying, But what about firewalls? Isn't that a third mechanism that we can use? And yeah, you're right. But, we already covered firewalls in Chapters 3Securing Your Server with a Firewall - Part 1, and Chapter 4, Securing Your Server with a Firewall - Part 2, so I won't repeat any of that here. But, at any rate, these are three ways of controlling access to your server. You can use all three of them together if you really want to, or you can just use one of them at a time. (It really depends on just how paranoid you really are.)

There are two competing philosophies about how to do access control. With blacklists, you specifically prohibit access by certain people or machines. That's difficult to do because the list could get very long, and you still won't block everybody that you need to block. The preferred and easier method is to use whitelists, which specifically allow access by certain people or machines.

First, let's look at creating whitelists within sshd_config with a hands-on lab.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.222.20.20