# AllowUser has problem for ssh



## callmanager (Dec 25, 2012)

Hello everyone, I have a server that I am installing FreeBSD 9 on, and my sever has valid IP, and every time from all of world i get an ssh attack.

I want that only one IP be able to ssh to my server.  I edited the sshd config file on /etc/ssh/sshd_config and added a line:

```
#AllowUsers mamadotal@192.168.1.32
```

But from the other computer I am able to ssh to that server.  All I want is that only one IP be able to ssh to my server, only one user from that IP be able to ssh to my server.

What should I do?


----------



## gkontos (Dec 25, 2012)

http://www.openbsd.org/faq/pf/


----------



## callmanager (Dec 25, 2012)

I don't understand your post, can you explain it to me?


----------



## gkontos (Dec 25, 2012)

Yes, use a firewall to restrict ssh access to certain IP addresses.


----------



## DutchDaemon (Dec 25, 2012)

And if you want to use sshd_config for it, it would probably be beneficial to remove the hash sign in front of the directive.


----------



## callmanager (Dec 26, 2012)

DutchDaemon said:
			
		

> And if you want to use sshd_config for it, it would probably be beneficial to remove the hash sign in front of the directive.



I use AllowUser without "#" sign but that has problem yet, I mean other computer can ssh to my SERVER, why? I write : "*AllowUsers mamadotal@192.168.1.32*"

on this file : /etc/ssh/sshd_config


But other computer still can ssh to my server ~!!!


----------



## bbzz (Dec 26, 2012)

You should be running basic firewall (*pf*) on your ssh server anyway.

Do you know how to set it up?


----------



## callmanager (Dec 26, 2012)

bbzz said:
			
		

> You should be running basic firewall (*pf*) on your ssh server anyway.
> 
> Do you know how to set it up?



No I don't know, would you like to help me?


----------



## bbzz (Dec 26, 2012)

Usually, this works with me saying, "have you read FreeBSD handbook on pf firewall first?"
Then, you should check out link which was posted in 2nd post on how to write your rules.


But since I'm in a good mood today, write down your network specifics and I (or maybe somebody else) will write down rules for you.


----------



## callmanager (Dec 26, 2012)

bbzz said:
			
		

> Usually, this works with me saying, "have you read FreeBSD handbook on pf firewall first?"
> Then, you should check out link which was posted in 2nd post on how to write your rules.
> 
> 
> But since I'm in a good mood today, write down your network specifics and I (or maybe somebody else) will write down rules for you.




No, I want to config my SSH configuration to do this, I heard I can do it with config sshd_config


----------



## phoenix (Dec 26, 2012)

Start the ssh daemon on the server manually, in the foreground, with -d specified a bunch of times:
`# sshd -dd`

Then connect to it from the remote host.

Post the output here.


----------



## Remington (Dec 26, 2012)

Use authorized_keys in .ssh folder in addition to pf firewall.


----------



## redw0lfx (Dec 27, 2012)

So from reading the OPs original question and the responses, I think the issue is not that SSHD allows the user to login, but that it provides an authentication prompt to anyone connecting.  callmanager, correct me if I am wrong with the following assumptions, but this might work for you:

1) sshd_config and AllowUsers directive is used for restricting the user that can authenticate and actually log into the system, not for restricting who can initiate an authentication request.

2) In order to block authentication request (ie: do not give a password prompt and just flat out deny the connection request), you must either be using a firewall to restrict by IP address like pf or you must edit your /etc/hosts.allow file and enter the IP address you would like to allow or block.

For example, in /etc/hosts.allow you could enter:

```
SSHD : 192.168.1.32 : ALLOW
SSHD : ALL : DENY
```

Then, in /etc/ssh/sshd_config enter:

```
AllowUsers mamadotal@192.168.1.32
DenyUsers *
```

The first configurations would only allow IP 192.168.1.32 to initiate a connection with SSHD, and refuse all connection attempts for all other IP. The second configuration will make sure that the user authenticating is mamadotal and coming from IP 192.168.1.32, or deny the authorization request.


----------



## SirDice (Dec 27, 2012)

callmanager said:
			
		

> Hello everyone, I have a server that I am installing FreeBSD 9 on, and my sever has valid IP, and every time from all of world i get an ssh attack.


Use something like security/sshguard-pf.


----------

