-2

I'm Using Ubuntu 18.04 and I have two different interfaces in a single card.

Let's suppose that the IP's of said interfaces are 1.1.1.1 & 2.2.2.2

I want that anyone can connect with ssh through 1.1.1.1, but only a list of selected IPs to connect through 2.2.2.2

How can I do that?

Carlo C.
  • 107
  • 1
  • 8
Amin
  • 147
  • 1
  • 6

1 Answers1

1

Hello Amin I will try to help you achieve what you want:

I understand you got 2 interfaces 1.1.1.1 and 2.2.2.2 and you need 1.1.1.1 to be public and 2.2.2.2 to be private with a Whitelist of IP's.

Follow this steps and I think you will be able to do it:

  1. Open you sshd_config file (use nano if you're a vi noob)

sudo vi /etc/ssh/sshd_config

  1. Add the following lines to the config file

ListenAddress 1.1.1.1

ListenAddress 2.2.2.2

  1. Save and close the file

  2. Restart the sshd daemon

sudo /etc/init.d/sshd restart OR sudo service sshd restart

  1. Check that SSH is listening to the ports you just defined

netstat -tulpn | grep :22

  1. Use Ubuntu's default Uncomplicated firewall to deny all traffic to your 2.2.2.2 interface

sudo ufw deny from any to 2.2.2.2 port 22

  1. Whitelist your IP and the ones you want to be able to access 2.2.2.2

sudo ufw allow in from 123.123.221.1 to 2.2.2.2 port 22

-

I think this is what you wanted, have a nice day!

Carlo C.
  • 107
  • 1
  • 8
  • By default sshd will already listen on all interfaces and any ip-address making steps 1-5 redundant. – HBruijn May 22 '19 at 14:07
  • Sorry HbBrujin, You mean steps 1 though 5 or just step 5? But yes it's a little redundant but it will work for him nevertheless – Carlo C. May 22 '19 at 14:50
  • Steps one through five are redundant, by default `ss -tulpn` or `netstat -tulpn` will show sshd listening to all local IPv4 addresses with `0.0.0.0:22` and to all local IPv6 addresses with `:::22` - In most default configurations your addition to the sshd_config file will ensure that sshd listens on the ip-addresses 1.1.1.1 and 2.2.2.2 but but also will result that sshd will stop listening on any other ip-addresses that are configured on the system, such as localhost. – HBruijn May 22 '19 at 14:59
  • Thanks for clarifying HB, let's hope OP also reads your comment. Also OP if you're reading this, I really recommend you use a search engine and look for "SSH Server Best Practices" – Carlo C. May 22 '19 at 15:06