Cloud Native应用交付

  • 首页
  • 关于本站
  • 个人介绍
  • Downloads
  • Repo
    • Github
    • Container
  • F5
    • F5 Python SDK
    • F5-container
    • F5-LBaaS
  • 社交
    • 联系我
    • 微信/微博
    • 公众号
    • 打赏赞助
行至水穷处 坐看云起时
Cloud Native Application Services: cnadn.net
  1. 首页
  2. F5技术
  3. 正文

V9下限制对SSH的访问

2008年07月25日 7292点热度 0人点赞 0条评论

You can update the SSH access list from the Configuration utility and the command line. 

Important: F5 Networks strongly recommends that you use the Configuration utility rather than the command line to update the SSH access list.

Updating the SSH access list from the Configuration utility

To update the SSH access list using the Configuration utility, perform the following procedure:

  1. From the Configuration utility, click System.
  2. Click Platform.

    The User Administration page displays.

  3. From the SSH IP Allow drop-down box, select Specify Range.
  4. In the SSH IP Allow text box, enter the IP addresses or address ranges for the remote systems allowed to use SSH to communicate with this system.

    Important: Separate the IP address entries with a space. If you separate the IP addresses with a comma a non-working entry will be added to the /etc/hosts.allow file, potentially preventing you from reconnecting to the network through SSH.

    For example, to restrict access to only systems on the 192.168.0.0 network, and host 10.10.10.1, you would enter the IP addresses in the following format:

    192.168.*.* 10.10.10.1

  5. Click Update.

Updating the SSH access list from the command line

To update the SSH access list from the command line, perform one of the following two procedures, depending on the BIG-IP version you are running:

BIG-IP versions 9.4.2 and later

To update the SSH access list from the command line in BIG-IP version 9.4.2 and later, perform the following procedure:

Note: Starting in BIG-IP version 9.4.2, /etc/hosts.allow is an auto-generated file and should not be manually edited.

  1. Log in to the command line.
  2. Use the following command syntax:

    bigpipe sshd allow <ip_addr> or <ip_range>

    For example, to add the 192.168.1.245 IP address to the existing list of IP addresses that are allowed to log in to the system, type the following command:

    bigpipe sshd allow 192.168.1.245 add

    To create an initial range of IP addresses (192.168.0.0 with a netmask of 255.255.0.0) that are allowed to log in to the system, type the following command:

    bigpipe sshd allow 192.168.0.0/255.255.0.0

  3. Save the configuration by typing the following command:

    bigpipe save

BIG-IP versions 9.0 through 9.4.1

To update the SSH access list from the command line in BIG-IP version 9.0 through 9.4.1, perform the following three procedures:

  • Restoring overwritten IP addresses
  • Updating the /etc/hosts.allow file from the command line
  • Editing the Service.SSH.allow configuration database record
     

 

Restoring overwritten IP addresses

In order to display the SSH IP Allow field, the Configuration utility references the Service.SSH.allow record in the configuration database. If an update is performed from the Configuration utility, any manual SSH access additions to the /etc/hosts.allow file will be overwritten by the contents of the configuration database.

Therefore, if a manual update to the SSH access information is required, you must ensure that you update the following two locations:

  • /etc/hosts.allow file
  • Service.SSH.allow record in the configuration database

Updating the /etc/hosts.allow file from the command line

To manually update the /etc/hosts.allow file from the command line, perform the following steps:

  1. Log in to the BIG-IP system command line.
  2. Change directories to the /etc directory, by typing the following command:

    cd /etc

  3. Using a text editor, such as vi or pico, edit the hosts.allow file.
  4. Locate the sshd: entry and add the desired address information.

    Ensure that you maintain the required 127.2.0.1 internal IP address entry.

    For example, to allow access to host 10.10.10.1, and all hosts on the 192.168.0.0/255.255.0.0 network, you would change the line:

    sshd : ALL 127.2.0.1

    To the following line:

    sshd : 192.168. 10.10.10.1 127.2.0.1

  5. Save the file and exit the editor.

Editing the Service.SSH.allow configuration database record

To ensure these new entries are recognized by the Configuration utility you must also add the entries to the Service.SSH.allow record in the configuration database. To set the configuration database Service.SSH.allow record, type the following command from the BIG-IP command line:

Note: You do not need to include the 127.2.0.1 internal IP address that is in the /etc/hosts.allow file.

bigpipe db Service.SSH.allow \"192.168. 10.10.10.1\"

BIG-IP will now allow SSH access from the 192.168.0.0/255.255.0.0 network, host 10.10.10.1.

相关文章

  • 密码保护:F5OS tenant部署后的容器情况、网络接口情况
  • 密码保护:F5OS tenant镜像实例化后信息
  • 密码保护:F5OS docker-compose.yml
  • 密码保护:F5OS 底层容器、网络及k8s状态
  • AI Gateway PII test page - internal only
本作品采用 知识共享署名-非商业性使用 4.0 国际许可协议 进行许可
标签: 暂无
最后更新:2008年07月25日

纳米

linjing.io

打赏 点赞
< 上一篇
下一篇 >

文章评论

razz evil exclaim smile redface biggrin eek confused idea lol mad twisted rolleyes wink cool arrow neutral cry mrgreen drooling persevering
取消回复

这个站点使用 Akismet 来减少垃圾评论。了解你的评论数据如何被处理。

页面AI聊天助手
文章目录
  • Updating the SSH access list from the Configuration utility
  • Updating the SSH access list from the command line
    • BIG-IP versions 9.4.2 and later
    • BIG-IP versions 9.0 through 9.4.1

纳米

linjing.io

☁️迈向Cloud Native ADC ☁️

认证获得:
TOGAF: ID 152743
Kubernetes: CKA #664
Microsoft: MCSE MCDBA
Cisco: CCNP
Juniper: JNCIS
F5:
F5 Certified Solution Expert, Security
F5 Certified Technology Specialist, LTM/GTM/APM/ASM
F5 Certified BIG-IP Administrator
  • 点击查看本博技术要素列表
  • 归档
    分类
    • AI
    • Automation
    • Avi Networks
    • Cisco ACI
    • CISCO资源
    • F5 with ELK
    • F5-Tech tips
    • F5技术
    • Juniper
    • Linux
    • NGINX
    • SDN
    • ServiceMesh
    • WEB编程
    • WINDOWS相关
    • 业界文章
    • 交换机技术
    • 化云为雨/Openstack
    • 协议原理
    • 容器/k8s
    • 我的工作
    • 我的生活
    • 网站技术
    • 路由器技术
    • 项目案例
    标签聚合
    irule api envoy nginx DNS F5 bigip k8s docker network openstack istio flannel gtm neutron
    最近评论
    汤姆 发布于 9 个月前(09月10日) 嗨,楼主,里面的json怎么下载啊,怎么收费啊?
    汤姆 发布于 9 个月前(09月09日) 大佬,kib的页面可以分享下吗?谢谢
    zhangsha 发布于 1 年前(05月12日) 资料发给我下,谢谢纳米同志!!!!lyx895@qq.com
    李成才 发布于 1 年前(01月02日) 麻烦了,谢谢大佬
    纳米 发布于 1 年前(01月02日) 你好。是的,因为以前下载系统插件在一次升级后将所有的下载生成信息全弄丢了。所以不少文件无法下载。DN...
    浏览次数
    • Downloads - 184,638 views
    • 联系我 - 118,966 views
    • 迄今为止最全最深入的BIGIP-DNS/GTM原理及培训资料 - 118,015 views
    • Github - 104,653 views
    • F5常见log日志解释 - 80,135 views
    • 从传统ADC迈向CLOUD NATIVE ADC - 下载 - 76,104 views
    • Sniffer Pro 4 70 530抓包软件 中文版+视频教程 - 74,320 views
    • 迄今为止最全最深入的BIGIP-DNS/GTM原理及培训资料 - 67,770 views
    • 关于本站 - 61,487 views
    • 这篇文档您是否感兴趣 - 55,787 views
    链接表
    • F5SE创新
    • Jimmy Song‘s Blog
    • SDNlab
    • Service Mesh社区
    • 三斗室
    • 个人profile
    • 云原生社区

    COPYRIGHT © 2023 Cloud Native 应用交付. ALL RIGHTS RESERVED.

    Theme Kratos Made By Seaton Jiang

    京ICP备14048088号-1

    京公网安备 11010502041506号