Cloud Native应用交付
  • 首页
  • 关于本站
  • 个人介绍
  • Downloads
  • Repo
    • Github
    • Container
  • F5
    • F5 Python SDK
    • F5-container
    • F5-LBaaS
  • 社交
    • 联系我
    • 微信/微博
    • 公众号
    • 打赏赞助
行至水穷处 坐看云起时
☁️We are in new App Mesh era: imesh.club ☁️
  1. 首页
  2. F5技术
  3. 正文

V9下限制对SSH的访问

2008年07月25日 3966点热度 0人点赞 0条评论

You can update the SSH access list from the Configuration utility and the command line. 

Important: F5 Networks strongly recommends that you use the Configuration utility rather than the command line to update the SSH access list.

Updating the SSH access list from the Configuration utility

To update the SSH access list using the Configuration utility, perform the following procedure:

  1. From the Configuration utility, click System.
  2. Click Platform.

    The User Administration page displays.

  3. From the SSH IP Allow drop-down box, select Specify Range.
  4. In the SSH IP Allow text box, enter the IP addresses or address ranges for the remote systems allowed to use SSH to communicate with this system.

    Important: Separate the IP address entries with a space. If you separate the IP addresses with a comma a non-working entry will be added to the /etc/hosts.allow file, potentially preventing you from reconnecting to the network through SSH.

    For example, to restrict access to only systems on the 192.168.0.0 network, and host 10.10.10.1, you would enter the IP addresses in the following format:

    192.168.*.* 10.10.10.1

  5. Click Update.

Updating the SSH access list from the command line

To update the SSH access list from the command line, perform one of the following two procedures, depending on the BIG-IP version you are running:

BIG-IP versions 9.4.2 and later

To update the SSH access list from the command line in BIG-IP version 9.4.2 and later, perform the following procedure:

Note: Starting in BIG-IP version 9.4.2, /etc/hosts.allow is an auto-generated file and should not be manually edited.

  1. Log in to the command line.
  2. Use the following command syntax:

    bigpipe sshd allow <ip_addr> or <ip_range>

    For example, to add the 192.168.1.245 IP address to the existing list of IP addresses that are allowed to log in to the system, type the following command:

    bigpipe sshd allow 192.168.1.245 add

    To create an initial range of IP addresses (192.168.0.0 with a netmask of 255.255.0.0) that are allowed to log in to the system, type the following command:

    bigpipe sshd allow 192.168.0.0/255.255.0.0

  3. Save the configuration by typing the following command:

    bigpipe save

BIG-IP versions 9.0 through 9.4.1

To update the SSH access list from the command line in BIG-IP version 9.0 through 9.4.1, perform the following three procedures:

  • Restoring overwritten IP addresses
  • Updating the /etc/hosts.allow file from the command line
  • Editing the Service.SSH.allow configuration database record
     

 

Restoring overwritten IP addresses

In order to display the SSH IP Allow field, the Configuration utility references the Service.SSH.allow record in the configuration database. If an update is performed from the Configuration utility, any manual SSH access additions to the /etc/hosts.allow file will be overwritten by the contents of the configuration database.

Therefore, if a manual update to the SSH access information is required, you must ensure that you update the following two locations:

  • /etc/hosts.allow file
  • Service.SSH.allow record in the configuration database

Updating the /etc/hosts.allow file from the command line

To manually update the /etc/hosts.allow file from the command line, perform the following steps:

  1. Log in to the BIG-IP system command line.
  2. Change directories to the /etc directory, by typing the following command:

    cd /etc

  3. Using a text editor, such as vi or pico, edit the hosts.allow file.
  4. Locate the sshd: entry and add the desired address information.

    Ensure that you maintain the required 127.2.0.1 internal IP address entry.

    For example, to allow access to host 10.10.10.1, and all hosts on the 192.168.0.0/255.255.0.0 network, you would change the line:

    sshd : ALL 127.2.0.1

    To the following line:

    sshd : 192.168. 10.10.10.1 127.2.0.1

  5. Save the file and exit the editor.

Editing the Service.SSH.allow configuration database record

To ensure these new entries are recognized by the Configuration utility you must also add the entries to the Service.SSH.allow record in the configuration database. To set the configuration database Service.SSH.allow record, type the following command from the BIG-IP command line:

Note: You do not need to include the 127.2.0.1 internal IP address that is in the /etc/hosts.allow file.

bigpipe db Service.SSH.allow \"192.168. 10.10.10.1\"

BIG-IP will now allow SSH access from the 192.168.0.0/255.255.0.0 network, host 10.10.10.1.

本作品采用 知识共享署名 4.0 国际许可协议 进行许可
标签: 暂无
最后更新:2008年07月25日

纳米

http://linjing.io

打赏 点赞
< 上一篇
下一篇 >

文章评论

取消回复

纳米

http://linjing.io

☁️迈向Cloud Native ADC ☁️

认证获得:
Kubernetes: CKA #664
Microsoft: MCSE MCDBA
Cisco: CCNP
Juniper: JNCIS
F5:
F5 Certified Solution Expert, Security
F5 Certified Technology Specialist, LTM/GTM/APM/ASM
F5 Certified BIG-IP Administrator
  • 点击查看本博技术要素列表
  • 分类目录
    • Avi Networks (3)
    • Cisco ACI (1)
    • CISCO资源 (21)
    • F5 with ELK (8)
    • F5-Tech tips (38)
    • F5技术 (203)
    • Juniper (4)
    • Linux (7)
    • Nginx (18)
    • SDN (4)
    • ServiceMesh (19)
    • WEB编程 (8)
    • WINDOWS相关 (7)
    • 业界文章 (18)
    • 交换机技术 (20)
    • 化云为雨/Openstack (35)
    • 协议原理 (52)
    • 容器/k8s (64)
    • 我的工作 (19)
    • 我的生活 (70)
    • 网站技术 (19)
    • 路由器技术 (80)
    • 项目案例 (28)
    文章归档
    标签聚合
    F5 k8s openstack nginx istio DNS envoy gtm docker network flannel api irule bigip neutron cc kubernetes ELK vxlan BGP dhcp VPN IPSec lbaas ingress ingress controller nginx plus sidecar IPSec VPN NAT sql
    最新 热点 随机
    最新 热点 随机
    Say hello for 2021 二进制flannel部署,非cni网络模式下与k8s CIS结合方案 又是一年国庆 Service Account Token Volume Projection Istio ingressgateway 静态TLS证书加载与SDS发现方式配置区别 Istio里Gateway的port定义与实际ingressgateway的listener端口关系及规则 Helm 3 部署NGINX Ingress Controller 应用交付老兵眼中的Envoy, 云原生时代下的思考 Istio sidecar iptables以及流量控制分析 Istio 熔断策略及envoy配置
    Say hello for 2021
    CISCO MARS!无敌· 2014 ADC Gartner magic quadrant(Oct. 2014) k8s利用F5实现租户流量隔离? 明天圣火到北京,圣火传递主题歌 [阿,网站终于好了,原创]发BGP实验1-理解BGP基本特性 [转]ReplicationController,Replica Set,Deployment区别 关于帧中继流量整形的问题,选什么呢? 【原创】用CISCO VPN-Client4.01连接VPN-SERVER配置 让VS直接访问另一个VS 我的CISCO实验室[图]
    链接表
    • Jimmy Song‘s Blog
    • SDNap
    • SDNlab
    • SDN论坛
    • Service Mesh社区
    • 三斗室
    • 个人profile

    COPYRIGHT © 2020 Cloud Native应用交付. ALL RIGHTS RESERVED.

    THEME KRATOS MADE BY VTROIS

    京ICP备14048088号-1

    京公网安备 11010502041506号

    [ Placeholder content for popup link ] WordPress Download Manager - Best Download Management Plugin