Securing SSH Using Pam Module
You can change the default port for ssh, you can block everything else with firewalls, and you can even configure the ssh to be a little bit more secure than normal with some options changed. All of this is great but it can be better. Using the PAM module for ssh you can select if a user can connect and where they can connect from (specific ip/domain/host). The following guide will give you a brief rundown of how to do this. For this example user bill will only be able to ssh from 10.1.1.10, both users bill and ted will be able to ssh from 10.1.1.20, and root user will only be able to login from machines coming from linuxwolfpack.com
open the configuration file sudo gedit /etc/pam.d/sshd, look for the following
#account required pam_access.so
Change it to:
account required pam_access.so
Now that we have activated the PAM module we need to set security options/filters. When logging in the ssh server looks at /etc/security/access.conf and follows a top down method of filtering.
The file will contain a structure like: permission : users : origins
The permission is either a + or -, + giving permission - denying permission. The user section is user(s) or group(s) that will be affected by the filter or you can use "ALL" to select everyone. The origins section is to filter the rule by ip/subnet/domain/host. One filter criteria you can use is "EXCEPT".
For example to deny root to login from everywhere except the ip subnet 10.1.1.0-10.1.1.255 you can use the rule - : root : ALL EXCEPT 10.1.1.0/24
An example of the same rule applied to the group "admin" would be - : (admin) : ALL EXCEPT 10.1.1.0/24 ...groups are seperated with surrounding the name in "()" to differentiate user(s) and group(s) having the same name.
To stick to our origional example we would place the following in /etc/security/access.conf
- : root : ALL EXCEPT .linuxwolfack.com
+ : bill ted : 10.1.1.20
+ : bill : 10.1.1.10
- : bill ted : ALL
Only other thing I could advise is only allowing bill ted and root to be able to ssh in via the /etc/ssh/sshd_config file using the allowed user listing in it