A customer asked me how they might be able to restrict the use of certain apps to only be from certain networks. For example, say you want to only allow SSH access from a management network (192.168.2.0), but not from the general user network (192.168.1.0). How is this done in SUSE Linux Enterprise Server? In short, use a TCP Wrapper which is configured in the /etc/hosts.allow and /etc/hosts.deny files. You can simply use any text editor, such as VI to edit them…

The best documentation of the answer I found was here at Puschitz.com. Thanks go to Werner Puschitz for the insight!

If you know of other helpful sites or documentation on this topic, please post a comment so we can all benefit.

(Update 8/31/07) Some additional suggestions I received. Thanks Edward Clay and Peter Albrecht.

(Response #1) You could do this with iptables or The YaST firewall app.

I found the following example on the following website.

http://www.cyberciti.biz/faq/restrict-ssh-access-use-iptable/

iptables -A INPUT -p tcp -s 0/0 --sport 513:65535 -d 195.55.55.78 --dport 22 -m state --state NEW,ESTABLISHED -j DROP

 

(Response #2) To use TCPwrapper for this, the application must be built with TCPwrapper
support. There are some daemons listed at the top of /etc/hosts.allow
which do support TCPwrapper.

If the application does not support TCPwrapper, I see two options:

1) Use iptables rules for limiting access. For an introduction to packet
filters, have a look at our course 3075: SLES 10 Security.

2) If the server is connected to the respective network (192.168.2.0 in
your example), you can configure sshd to listen only to that interface. The directive is ListenAddress in /etc/ssh/sshd_config. Several other
applications also provide such a configuration.

Advertisements