★ 需求
最近公司服务器上面某个用户的帐号密码被修改了好几次。查看了一下,确实有人用他的帐号从外网ip(国外的ip)登陆过,猜想可能是他自己的电脑中木马或者什么病毒了。用户自己没有安全意识是很头痛的一个问题,其实给他们新建帐号的时候使用的都是简单密码,但是似乎都没有人上服务器自己修改,但是你又不能要求你的用户如何如何(比如给自己电脑装防火墙、杀毒软件etc),因为那是人家自己的事情。那么我就想,有没有一个方法可以限制某个用户只能从某个ip(或者ip列表)登陆呢?下面是一些解决方法。

★ 解决方案
1) 通过修改/etc/ssh/sshd_config文件,让sshd只监听内网ip。这样只有内网ip才能登陆ssh。但是这样的话就不能远程维护服务器了,有点得不偿失得感觉。
2) 通过修改/etc/hosts.allow和/etc/hosts.deny来限制某个ip的登陆。这个方式其实和上面得类似,你也不知道hacker会从哪个ip登陆,所以你没办法deny他得ip,deny他得时候可能连你自己也deny了。
3) 可以通过/etc/ssh/sshd_config文件来实现。
    AllowUsers
            This keyword can be followed by a list of user name patterns,
            separated by spaces.  If specified, login is allowed only for us-
            er names that match one of the patterns.  Only user names are
            valid; a numerical user ID is not recognized.  By default, login
            is allowed for all users.  If the pattern takes the form US-
            ER@HOST then USER and HOST are separately checked, restricting
            logins to particular users from particular hosts.  The allow/deny
            directives are processed in the following order: DenyUsers,
            AllowUsers, DenyGroups, and finally AllowGroups.
PATTERNS
    A pattern consists of zero or more non-whitespace characters, `*' (a
    wildcard that matches zero or more characters), or `?' (a wildcard that
    matches exactly one character).  For example, to specify a set of decla-
    rations for any host in the ``.co.uk'' set of domains, the following pat-
    tern could be used:
          Host *.co.uk
    The following pattern would match any host in the 192.168.0.[0-9] network
    range:
          Host 192.168.0.?
    A pattern-list is a comma-separated list of patterns.  Patterns within
    pattern-lists may be negated by preceding them with an exclamation mark
    (`!').  For example, to allow a key to be used from anywhere within an
    organisation except from the ``dialup'' pool, the following entry (in au-
    thorized_keys) could be used:
          from="!*.dialup.example.com,*.example.com"
比如不允许test用户从192.168.0.x登陆,那么可以添加一行
denyusers [email protected].
按照上面的PATTERNS说明,似乎可以加叹号来排除某个ip,但是尝试过没有成功,不知道什么原因了。
按照文档,deny是级别最高的,而设置了allow之后,就只能allow的用户访问了,所以如果想限制某个用户只能从某个ip段登陆,用这个似乎实现不了。
4) 使用ssh得RSA/DSA key。
参考地址:http://www.5ilinux.com/ssh01.html
用ssh-keygen命令生成一对公匙密匙,然后把密匙给用户,并且限制ssh只能通过RSA方式认证。这样会导致所有ssh用户都得用这种方式登陆了,会更加郁闷。
这种方式可以在用户得authorized_keys2文件中,加入from="!192.168.1.158,*"来让用户只能通过158登陆。(这个没有做过验证)
PATTERNS
    A pattern consists of zero or more non-whitespace characters, `*' (a
    wildcard that matches zero or more characters), or `?' (a wildcard that
    matches exactly one character).  For example, to specify a set of decla-
    rations for any host in the ``.co.uk'' set of domains, the following pat-
    tern could be used:
          Host *.co.uk
    The following pattern would match any host in the 192.168.0.[0-9] network
    range:
          Host 192.168.0.?
    A pattern-list is a comma-separated list of patterns.  Patterns within
    pattern-lists may be negated by preceding them with an exclamation mark
    (`!').  For example, to allow a key to be used from anywhere within an
    organisation except from the ``dialup'' pool, the following entry (in au-
    thorized_keys) could be used:
          from="!*.dialup.example.com,*.example.com"
5) 用pam。
参考地址:http://www.linuxmine.com/1078.html
看看/etc/pam.d/login文件,有没有pam_access.so的设置。我的debian系统中,ssh相关的都在/etc/pam.d/ssh文件中设置。加入一行
account  required       pam_access.so
然后修改他的配置文件/etc/security/access.conf文件。加入一行
-:wd:192.168.1. EXCEPT 192.168.1.158
这样,wd用户从192.168.1.x(192.168.1.158除外)的登陆权限被去掉了。也就是说,wd这个用户就只能从158这个ip以及外网ip登陆了。
大功告成。 :)