Well, one option is to just set a rule-pair in your firewall: iptables -A INPUT -p tcp --dport 22 -s 192.168.1.0/24 -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j DROP
That way connections from the internal network are accepted; all other traffic to the ssh port is dropped. If you go this route, ensure that your system is set up to save your firewall rules and re-load them when it brings the interface up, otherwise your protection is only good for one session ; ) I would probably still want to configure sshd in addition (multiple layers of security = much more secure). From a cursory looking-around at google, it looks like you can set the ListenAddress line in sshd.conf to a local ip; I'm not sure exactly how this implementation would work, and moreover it looks like you'd need several lines if you want to allow a range of ips on the local network. You might also have a look at hosts.allow and hosts.deny (http://linux.about.com/od/commands/l/blcmdl5_hostsal.htm is just the first google result; the man pages certainly have more info, but I don't use hosts.* myself so I can only really provide a pointer). I'm not sure that really adds anything that the firewall rule wouldn't already, though. ~Jeff On Fri, Sep 19, 2008 at 12:52 PM, S.D.Allen <[EMAIL PROTECTED]> wrote: > Greetings; > > I can seem to figure out which config file to edit and what to enter > to allow only hosts on the LAN to connect via SSH. I'll have the box > in question available to the entire Internet and want to disable > global access to SSH. Presently I'm using password authentication, and > would prefer to keep it this way, as opposed to allowing access via > trusted key. > > Thanks. > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
