V9下限制对SSH的访问

You can update the SSH access list from the Configuration utility and the command line. 

Important: F5 Networks strongly recommends that you use the Configuration utility rather than the command line to update the SSH access list.

Updating the SSH access list from the Configuration utility

To update the SSH access list using the Configuration utility, perform the following procedure:

1. From the Configuration utility, click System.
2. Click Platform.

   The User Administration page displays.

3. From the SSH IP Allow drop-down box, select Specify Range.
4. In the SSH IP Allow text box, enter the IP addresses or address ranges for the remote systems allowed to use SSH to communicate with this system.

   Important: Separate the IP address entries with a space. If you separate the IP addresses with a comma a non-working entry will be added to the /etc/hosts.allow file, potentially preventing you from reconnecting to the network through SSH.

   For example, to restrict access to only systems on the 192.168.0.0 network, and host 10.10.10.1, you would enter the IP addresses in the following format:

   192.168.*.* 10.10.10.1

5. Click Update.

Updating the SSH access list from the command line

To update the SSH access list from the command line, perform one of the following two procedures, depending on the BIG-IP version you are running:

BIG-IP versions 9.4.2 and later

To update the SSH access list from the command line in BIG-IP version 9.4.2 and later, perform the following procedure:

Note: Starting in BIG-IP version 9.4.2, /etc/hosts.allow is an auto-generated file and should not be manually edited.

1. Log in to the command line.
2. Use the following command syntax:

   bigpipe sshd allow <ip_addr> or <ip_range>

   For example, to add the 192.168.1.245 IP address to the existing list of IP addresses that are allowed to log in to the system, type the following command:

   bigpipe sshd allow 192.168.1.245 add

   To create an initial range of IP addresses (192.168.0.0 with a netmask of 255.255.0.0) that are allowed to log in to the system, type the following command:

   bigpipe sshd allow 192.168.0.0/255.255.0.0

3. Save the configuration by typing the following command:

   bigpipe save
   

BIG-IP versions 9.0 through 9.4.1

To update the SSH access list from the command line in BIG-IP version 9.0 through 9.4.1, perform the following three procedures:

• Restoring overwritten IP addresses
• Updating the /etc/hosts.allow file from the command line
• Editing the Service.SSH.allow configuration database record
   

Restoring overwritten IP addresses

In order to display the SSH IP Allow field, the Configuration utility references the Service.SSH.allow record in the configuration database. If an update is performed from the Configuration utility, any manual SSH access additions to the /etc/hosts.allow file will be overwritten by the contents of the configuration database.

Therefore, if a manual update to the SSH access information is required, you must ensure that you update the following two locations:

• /etc/hosts.allow file
• Service.SSH.allow record in the configuration database

Updating the /etc/hosts.allow file from the command line

To manually update the /etc/hosts.allow file from the command line, perform the following steps:

1. Log in to the BIG-IP system command line.
2. Change directories to the /etc directory, by typing the following command:

   cd /etc

3. Using a text editor, such as vi or pico, edit the hosts.allow file.
4. Locate the sshd: entry and add the desired address information.

   Ensure that you maintain the required 127.2.0.1 internal IP address entry.

   For example, to allow access to host 10.10.10.1, and all hosts on the 192.168.0.0/255.255.0.0 network, you would change the line:

   sshd : ALL 127.2.0.1

   To the following line:

   sshd : 192.168. 10.10.10.1 127.2.0.1

5. Save the file and exit the editor.

Editing the Service.SSH.allow configuration database record

To ensure these new entries are recognized by the Configuration utility you must also add the entries to the Service.SSH.allow record in the configuration database. To set the configuration database Service.SSH.allow record, type the following command from the BIG-IP command line:

Note: You do not need to include the 127.2.0.1 internal IP address that is in the /etc/hosts.allow file.

bigpipe db Service.SSH.allow \"192.168. 10.10.10.1\"

BIG-IP will now allow SSH access from the 192.168.0.0/255.255.0.0 network, host 10.10.10.1.