Prevent unauthorized SSH access to compute resources

For Cloudboot compute resources, we recommend using a private isolated subnet for the Hypervisor's management network


To limit SSH access to static HVs and improve security in case of stolen SSH private keys, we suggest you use TCP Wrappers - which grants access according to the rules specified in /etc/hosts.allow file. 

When TCP wrapped service receives a client request it checks the following 2 files:

/etc/hosts.allow
/etc/hosts.deny

and performs the following steps:

  • sequentially parses the /etc/hosts.allow file and applies the first rule specified for that service. If it finds a matching rule, it allows the connection. If not, it moves on to step 2.
  • parses the /etc/hosts.deny file. If it finds a matching rule is denies the connection. If not, access to the service is granted.

Important points to consider

  • Rules in hosts.allow are applied first. If access to a service is allowed in hosts.allow, access is granted; a rule denying access to that same service in hosts.deny is ignored.
  • The first matching rule for a given service stops further search, so the order of the rules is important.
  • If no rules for the service are found in either file or if neither file exists, access to the service is granted.
  • Any changes to hosts.allow or hosts.deny take effect immediately without restarting network services.

The format for both /etc/hosts.allow and /etc/hosts.deny is identical:

  • blank lines or lines that start with a hash mark (#) are ignored
  • each rule must be on its own line

Format of the rule to control access to network services:

<daemon list>: <client list> [: <option>: <option>: ...]

 Where:

  • <daemon list> — a comma separated list of process names (not service names). 
  • <client list> — a comma separated list of hostnames, host IP addresses, which identify the hosts effected by the rule. 
  • <option> — an optional action or colon separated list of actions performed when the rule is triggered.

Use example:

To limit SSH access to hypervisors:

  1. Root to the required hypervisor. 

  2. Access etc/host.deny and deny ssh access for any clients, using the following command:

    sshd: *
  3. Access etc/hosts.allow and indicate IPs (hostnames) which will be granted the ssh access to the hypervisor:

    sshd: 192.168.0.0

    Indicate the IP address (and/or hostnames) of the Control Panel and of the clients, whom you want to grant access to the hypervisor.


See more details at the TCP Wrappers Configuration Files page.