[olug] OpenSSH ListenAddress Options

Matthew G. Marsh olug4mgm at paktronix.com
Sat Nov 7 00:06:06 UTC 2009 

<delurk>

Hmmm - twice in one day - I must be slipping...

I use ListenAddress in all of my ssh servers. It is even in the 
sshd_config file created by the PakSecured install routine.

The first one below (IPv4 addr) binds the SSHD only to listen on the 
internal IP address. The second can be used to bind an IPv6 address which 
this particular machine does not have.

ListenAddress 192.168.x.y
# ListenAddress ::

netstat -an      shows:

tcp        0      0 192.168.x.y:22          0.0.0.0:*               LISTEN

Even though this machine has approximately 5 IPv4 addresses.

Now as far as the USERS and hostnames I always compile SSH with 
tcpwrappers and use a hosts.allow file to permit only my appropriate 
remote IP addrs. This is true especially on externally facing SSH servers. 
Now on specific machines where paranoia is justified I use Ostiary to 
launch sshd with an even stricter lock set and creating a temporary 
hosts.allow within the jail location.

That sshd_config contains:

AllowUsers  my_specific_special_user
AllowGroups my_specific_special_group

as well as (created on the fly)

ListenAddress a.b.c.d:efghi

which as you will note specifies a port # (BTW the actual script creates a 
port based on a passed in variable...) and also creates iptables rules 
along with the hosts.allow - perhaps overkill but...

Now just to piss off evangelists I only use Protocol 1 in my ssh servers 
but I also use an ancient patched sshd of my own to work with that... ;-}

Anyway - I recommend using ListenAddress on any server where you can be 
sure of the IP addrs otherwise the bindings can get messy. (yes I have 
hacked up a DHCP version of this but that is a weirder usage...)

Additionally the binding in the first example was an address on dummy0 
where I can use extensive crypto tunnels to produce a virtual network 
structure.

Hope this helps... <flame bait> SSH is a very powerful software package 
even though the BSD people developed it...  </flame bait>

mgm

</delurk>

On Fri, 6 Nov 2009, dan at miniarpa.net wrote:

<snipped stuff about some kind of linux box running web servers>

> Thanks,
> Dan


--------------------------------------------------
Matthew G. Marsh
Special Email Addr for OLUG ;-}
Phone: (402) 932-7250
Email: olug4mgm at paktronix.com
WWW:  http://www.paksecured.org
--------------------------------------------------

More information about the OLUG mailing list