allow only specific users to login via sshd, but refuse connect to non-listed users

pam sshd hosts

I don't think it is possible to do what you are asking. If you could, someone could "brute force" to find valid usernames on your server. I am also pretty sure that the username and the password are sent simultaneously by the client, you could verify this by capturing packets using Wireshark on an unencrypted SSH connection.

By "hacking activities" I assume you are talking about brute force attempts at passwords. There are many ways to protect yourself from this, I will explain the most common ways.

Disable root login By denying root login with SSH the attacker has to know or guess a valid username. Most automated brute force attacks only try logging in as root.

Blocking IPs on authentication failure Daemons like fail2ban and sshguard monitor your log files to detect login failures. You can configure these to block the IP address trying to log in after a number of failed login attempts. In your case this is what I would recommend. This reduces log spam and strain on your server, as all packets from this IP would be blocked before they reach the sshd daemon. Your could, for example, set fail2ban to block IPs with 3 login failures in the last 5 minutes for 60 minutes. You will in the worst cases see three failed logins in your log every 60 minutes, assuming the attacker does not give up and move on.

Public key authentication You can disable password authentication entirely and only allow clients with specific keys. This is often considered to be the most secure solution (assuming the client keeps his key safe and encrypted). To disable password authentication, add your public key to ~/.ssh/authorized_keys on the server and set PasswordAuthentication to no in sshd_config. There are numerous tutorials and tools to assist with this.

F__M

Updated on September 18, 2022

Comments

F__M over 1 year
I am looking for an easier way to make my example below:
```
<?php
   $q = "Q".rand(1, 3);
   echo $$q;
?>
```
Thanks.
- Sverri M. Olsen over 11 years
  
  "Easier" in what way? That is how you use variable variables.
- Andy Lester over 11 years
  
  Any time you're using variable variables, you should probably be using arrays instead.
- sivann over 11 years
  
  perhaps use an array instead of Q1 Q2 Q3?
- F__M over 11 years
  
  Looking to make it in only one line. :)
- F__M over 11 years
  
  I expected this response Ben. Will make this with array. Thanks guys.
BenOfTheNorth over 11 years

One line? Don't press enter after you've typed the first line then ;)
LHWizard almost 10 years

I don't have enough reputation, but I would +1 for fail2ban. It's relatively easy to setup, you can ban IPs after any number of failed login attempts and it writes the addresses to iptables so they stay banned. Of course, you can ban yourself if you mis-type your p/w once too many times.
leoce almost 10 years

thanks for your suggestion, I'm also using fail2ban and I know the 3-time thing is just the default setting of sshd. Fail2ban adds IPs which exceeds the maxretry within findtime into iptables block list. The reason I'm asking this question is that I want to know if there's a way of combination of the mechanics of PAM and hosts.deny. I tried to add 'sshd: hkbjhsqj@*' in my hosts.allow and 'sshd: ALL' in my hosts.deny but failed.
leoce almost 10 years

thanks for your detailed reply! I've set PermitRootLogin no and I'm using fail2ban too. The third way seems the most desirable while a little problem remains---I can only login with my own computers. I can't use any client with no key file. That seems a tiny flaw and limitation. Certainly in practice I login mostly with my computer. I'm just curious if there's an ultimate solution which meets my question. Thanks!~
arnefm almost 10 years

@leoce Sorry, I have never heard if any of any authentecation method that meets all your requirements. Its either portability or security. All authentication methods I know of are password, key or host based. Personally I keep my private key encrypted and stored in my Lastpass vault. I can then download it if I need to use another computer. An alternative would be to keep a memory stick containing the key on person, perhaps attached to your keys or something. Some of those are barely any larger than the USB connector!
leoce almost 10 years

@arnefm Thanks! Your explanation is convincing and the Lastpass idea is good. I can also compress my key files with a password and put the zip file in Dropbox. And I just verified another way. I write "sshd: ALL" in the hosts.deny and I install Webmin. I also deploy the Google 2-factor authentication module in Webmin. So it can build a block list and it requires the code on my phone. If I'm somewhere with a new computer, I can login webmin and run echo sshd: 0.0.0.0 >> /etc/hosts.allow. I think this also works for me.