SSH Access – Restrict Remote Login to Specific IP Ranges on MacOS

firewallssh

Can someone please tell me how to restrict SSH access only to certain IP ranges (e.g. local network) and not the whole Internet? I guess this has to be done via firewall.

Best Answer

From man sshd:

/etc/hosts.allow
/etc/hosts.deny
Access controls that should be enforced by tcp-wrappers are defined here.  
Further details are described in hosts_access(5).

https://debian-administration.org/article/87/Keeping_SSH_access_secure offers these examples:

# /etc/hosts.allow
sshd: 1.2.3.0/255.255.255.0
sshd: 192.168.0.0/255.255.255.0

# /etc/hosts.deny
sshd: ALL

The TCP wrapper program in Mac OS X is: tcpd

Related Solutions

How to ensure that all networking goes through the ssh proxy

Assuming that ssh is running on localhost (or another machine on the local subnet), the easiest thing to do is to shut down your routes so that nothing can get outside. netstat -nr will show you your current routes. Mine looks like this:

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            192.168.0.69       UGSc       93     4438    en1

192.168.0.69 is my default route. If I take that route out: route delete default 192.168.0.69 then I cannot get to any machine not wired to my network. Once screen sets up your proxy, you should have access back.

Remote User Account – Create on macOS with SSH

The best way to do this is to create a chroot jail for the user. I'll clean up the answer here when I get home but I posted the solution on my blog.

https://thefragens.com/chrootd-sftp-on-mac-os-x-server/

Below are most of the instruction from the above post.

First, you should create the new user in Workgroup Admin and either assign them access privileges for SSH via Server Admin or assign them to a group that has SSH access privileges. Further discussion is below.

From the Terminal, start off right.

sudo cp /etc/sshd_config /etc/sshd_config.bkup

sudo chown root /
sudo chmod 755 /
sudo mkdir -p /chroot/user/scratchpad
sudo chown -R root /chroot
sudo chown user /chroot/user/scratchpad
sudo chmod -R 755 /chroot

Every additional new user added will then be something along the lines of the following.

sudo mkdir -p /chroot/user2/scratchpad
sudo chown root /chroot/user2
sudo chown user2 /chroot/user2/scratchpad
sudo chmod -R 755 /chroot/user2

Every folder it the path to the chroot jail must be owned by root. I don't think it matters what group the folder is in. What I did above was to

backup /etc/sshd_config
change ownership of the root directory to root
change permissions of the root directory to 755
create a chroot folder
create a user folder inside the chroot folder
create a folder inside the user folder that user can modify
set ownership and permissions

Now to edit /etc/sshd_config to the following.

#Subsystem  sftp    /usr/libexec/sftp-server
Subsystem   sftp    internal-sftp

Match User user
    X11Forwarding no
    AllowTcpForwarding no
    ForceCommand internal-sftp
    ChrootDirectory /chroot/user

This creates a chroot jail that when the user logs in will drop them into the folder /chroot/user, in that folder is a folder they can add things to /chroot/user/scratchpad.

If you want to create a Group in Workgroup Admin for 'Chroot Users' then add the new users that you created in Workgroup Admin to the Group you won't have to keep editing the /etc/sshd_config file. Instead of the above, add the following. Make sure you add the 'Chroot Users' group to the SSH access ACL in Server Admin.

Match Group chrootusers
    X11Forwarding no
    AllowTcpForwarding no
    ForceCommand internal-sftp
    ChrootDirectory /chroot/%u

To test whether the above is working, issue the following from the terminal.

$ sftp user@domain.com
Password:
sftp>

Best Answer

Related Solutions

How to ensure that all networking goes through the ssh proxy

Remote User Account – Create on macOS with SSH

Related Question