免费注册 查看新帖 |

Chinaunix

  平台 论坛 博客 文库
论坛 操作系统 AIX 如何限制SSH方式登陆的IP地址
最近访问板块 发新帖
查看: 6861 | 回复: 3
打印 上一主题 下一主题

[新手入门] 如何限制SSH方式登陆的IP地址 [复制链接]

t_wen

论坛徽章:
0
跳转到指定楼层
1 [收藏(0)] [报告]
发表于 2006-11-13 09:48 |只看该作者 |倒序浏览
用tcp_wrapper可以限制用telnet登陆的IP,但SSH方式如何限制呢(我安装的openssl,来实现ssh登陆的)?
hennes0208

论坛徽章:
0
2 [报告]
发表于 2006-11-20 16:18 |只看该作者

回复:限制SSH方式登陆的IP地址

启动IBM ,ipsec4过滤规则

# smitty ipsec4
-> Start/Stop IP Security
-> Start IP Security ->

Start IP Security

Type or select values in entry fields.
Press Enter AFTER making all desired changes.

[Entry Fields]
Start IP Security [Now and After Reboot] +
Deny All Non_Secure IP Packets [no] +

检查ipsec现在可用:
# lsdev -Cc ipsec
ipsec_v4 Available IP Version 4 Security Extension

现在系统中应创建了两个过滤规则。使用下面的命令检查这两个过滤规则:
# lsfilt -v4
Beginning of IPv4 filter rules.
Rule 1:
Rule action : permit
Source Address : 0.0.0.0
Source Mask : 0.0.0.0
Destination Address : 0.0.0.0
Destination Mask : 0.0.0.0
Source Routing : no
Protocol : udp
Source Port : eq 4001
Destination Port : eq 4001
Scope : both
Direction : both
Logging control : no
Fragment control : all packets
Tunnel ID number : 0
Interface : all
Auto-Generated : yes

Rule 2:
*** Dynamic filter placement rule for IKE tunnels ***
Logging control : no
.
Rule 0:
Rule action : permit
Source Address : 0.0.0.0
Source Mask : 0.0.0.0
Destination Address : 0.0.0.0
Destination Mask : 0.0.0.0
Source Routing : yes
Protocol : all
Source Port : any 0
Destination Port : any 0
Scope : both
Direction : both
Logging control : no
Fragment control : all packets
Tunnel ID number : 0
Interface : all
Auto-Generated : no
.
End of IPv4 filter rules.

增加一个过滤规则以允许接受从9.3.6.180发来的ftp请求:
# smitty ipsec4
-> Advanced IP Security Configuration
-> Configure IP Security Filter Rules
-> Add an IP Security Filter Rule ->

Add an IP Security Filter Rule

Type or select values in entry fields.
Press Enter AFTER making all desired changes.

[Entry Fields]
* Rule Action [permit]
+
* IP Source Address [9.3.6.180]
* IP Source Mask [255.255.255.255]
IP Destination Address [9.3.6.177]
IP Destination Mask [255.255.255.255]
* Apply to Source Routing? (PERMIT/inbound only) [yes]
+
* Protocol [all]
+
* Source Port / ICMP Type Operation [any]
+
* Source Port Number / ICMP Type [0]
#
* Destination Port / ICMP Code Operation [eq]
+
* Destination Port Number / ICMP Type [21]
#
* Routing [both]
+
* Direction [both]
+
* Log Control [no]
+
* Fragmentation Control [all packets]
+
* Tunnel ID [0]
+#
* Interface [all]
+


增加另一个过滤规则以拒绝其它所有向 9.3.6.177发出的ftp请求:
Add an IP Security Filter Rule

Type or select values in entry fields.
Press Enter AFTER making all desired changes.

[Entry Fields]
* Rule Action [deny]
+
* IP Source Address [0.0.0.0]
* IP Source Mask [0.0.0.0]
IP Destination Address [9.3.6.177]
IP Destination Mask [255.255.255.255]
* Apply to Source Routing? (PERMIT/inbound only) [yes]
+
* Protocol [all]
+
* Source Port / ICMP Type Operation [any]
+
* Source Port Number / ICMP Type [0]
#
* Destination Port / ICMP Code Operation [eq]
+
* Destination Port Number / ICMP Type [21]
#
* Routing [both]
+
* Direction [both]
+
* Log Control [no]
+
* Fragmentation Control [all packets]
+
* Tunnel ID [0]
+#
* Interface [all]
+


激活设置的过滤规则:
# smitty ipsec4
-> Advanced IP Security Configuration
-> Activate/Update/Deactivate IP Security Filter Rule
-> Activate / Update


上面是配置了一个FTP的过滤规则,你只要将端口改为22就是现在ssh登录了。
实战分享:从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线! | 新一代分布式关系型数据库RadonDB知多少?
t_wen

论坛徽章:
0
3 [报告]
发表于 2006-11-24 09:03 |只看该作者
谢谢,我试试
实战分享:从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线! | 新一代分布式关系型数据库RadonDB知多少?
brucewoo

论坛徽章:
0
4 [报告]
发表于 2006-11-24 13:34 |只看该作者
学习一下
实战分享:从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线! | 新一代分布式关系型数据库RadonDB知多少?
返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 注册

本版积分规则 发表回复

  

北京盛拓优讯信息技术有限公司. 版权所有 京ICP备16024965号-6 北京市公安局海淀分局网监中心备案编号:11010802020122 niuxiaotong@pcpop.com 17352615567
未成年举报专区
中国互联网协会会员  联系我们:huangweiwei@itpub.net
感谢所有关心和支持过ChinaUnix的朋友们 转载本站内容请注明原作者名及出处

清除 Cookies - ChinaUnix - Archiver - WAP - TOP