{"id":763,"date":"2015-10-14T22:41:32","date_gmt":"2015-10-14T13:41:32","guid":{"rendered":"http:\/\/stuffy.dip.jp\/wordpress\/?p=763"},"modified":"2017-05-29T16:16:54","modified_gmt":"2017-05-29T07:16:54","slug":"restrict-login-ssh-by-pam","status":"publish","type":"post","link":"https:\/\/www.stuffy.site\/wordpress\/?p=763","title":{"rendered":"pam \u306b\u3088\u308bSSH\u306eIP\u5236\u9650"},"content":{"rendered":"<p>\u4ee5\u524d\u3001 <a href=\"https:\/\/www.stuffy.site\/wordpress\/index.php\/2015\/09\/07\/restriction-ip-address-by-hosts-files\/\" target=\"_blank\">HOSTS\u30d5\u30a1\u30a4\u30eb\u306b\u3088\u308bSSH\u306eIP\u5236\u9650<\/a>\u00a0\u3092\u30a8\u30f3\u30c8\u30ea\u30fc\u3057\u307e\u3057\u305f\u304c\u3001TCP Wrapper \u3092\u901a\u308b\u30b5\u30fc\u30d3\u30b9\u81ea\u4f53\u304c\u6e1b\u3063\u3066\u304a\u308a\u3001libwrap \u30e9\u30a4\u30d6\u30e9\u30ea\u3092\u5229\u7528\u3059\u308b\u30b5\u30fc\u30d3\u30b9\u306f\u73fe\u5728\u3001SSH, PostFix \u4f4d\u3057\u304b\u3042\u308a\u307e\u305b\u3093\u3002 ldd \/usr\/sbin\/sshd | grep libwrap\u00a0\u30b3\u30de\u30f3\u30c9\u3067HOSTS\u30d5\u30a1\u30a4\u30eb\u304c\u5229\u7528\u3067\u304d\u308b\u304b\u3069\u3046\u304b\u3001\u78ba\u8a8d\u304c\u51fa\u6765\u307e\u3059\u3002\u3057\u304b\u3057\u4eca\u56de\u306f\u3001pam\uff08Pluggable Authentication Module\uff09\u306b\u3088\u308bSSH \u306eIP \u5236\u9650\u306e\u65b9\u6cd5\u3092\u3054\u7d39\u4ecb\u3057\u307e\u3059\u3002<\/p>\n<p><a href=\"http:\/\/d.hatena.ne.jp\/grgrjnjn\/20120531\/1338439309\" target=\"_blank\">\u30e6\u30fc\u30b6\u3001\u30a2\u30af\u30bb\u30b9\u5143IP\u30a2\u30c9\u30ec\u30b9\u3067ssh\u306e\u63a5\u7d9a\u5236\u9650\u3092\u3059\u308b<\/a><\/p>\n<p>\u8a73\u3057\u3044\u8a2d\u5b9a\u306f\u3001<a href=\"http:\/\/qiita.com\/tjinjin\/items\/ca6f5518e881bdf5488c\" target=\"_blank\">OpenSSH &#8211; IP\u5236\u9650\u304b\u3064\u30e6\u30fc\u30b6\u306e\u5236\u9650\u3092\u540c\u6642\u306b\u884c\u3046 &#8211; Qiita<\/a> \u306b\u3042\u308a\u307e\u3059\u304c\u3001\u3068\u308a\u3042\u3048\u305a\u30ed\u30fc\u30ab\u30eb\u30cd\u30c3\u30c8\u306e\u30e6\u30fc\u30b6\u30fc\u306e\u307f\u306b\u5236\u9650\u3059\u308b\u65b9\u6cd5\u3068\u3057\u3066\u3001<\/p>\n<p>\/etc\/pam.d\/sshd<\/p>\n<pre class=\"brush: actionscript3; gutter: false; first-line: 1\">#%PAM-1.0\r\nauth\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 required\u00a0\u00a0\u00a0\u00a0 pam_sepermit.so\r\nauth\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 include\u00a0\u00a0\u00a0\u00a0\u00a0 password-auth\r\naccount\u00a0\u00a0\u00a0 required\u00a0\u00a0\u00a0\u00a0 pam_nologin.so\r\n<strong>account    required     pam_access.so \uff08\u65b0\u898f\u8ffd\u52a0<\/strong>\r\naccount\u00a0\u00a0\u00a0 include\u00a0\u00a0\u00a0\u00a0\u00a0 password-auth\r\npassword\u00a0\u00a0 include\u00a0\u00a0\u00a0\u00a0\u00a0 password-auth\r\n# pam_selinux.so close should be the first session rule\r\nsession\u00a0\u00a0\u00a0 required\u00a0\u00a0\u00a0\u00a0 pam_selinux.so close\r\nsession\u00a0\u00a0\u00a0 required\u00a0\u00a0\u00a0\u00a0 pam_loginuid.so\r\n# pam_selinux.so open should only be followed by sessions to be executed in the user context\r\nsession\u00a0\u00a0\u00a0 required\u00a0\u00a0\u00a0\u00a0 pam_selinux.so open env_params\r\nsession\u00a0\u00a0\u00a0 optional\u00a0\u00a0\u00a0\u00a0 pam_keyinit.so force revoke\r\nsession\u00a0\u00a0\u00a0 include\u00a0\u00a0\u00a0\u00a0\u00a0 password-auth<\/pre>\n<p>\/etc\/ssh\/sshd_config<\/p>\n<pre class=\"brush: actionscript3; gutter: false; first-line: 1\">UsePAM yes<\/pre>\n<p>\/etc\/security\/access.conf<\/p>\n<pre class=\"brush: actionscript3; gutter: false; first-line: 1\">- : gusachan : ALL EXCEPT 192.168.0.0\/24<\/pre>\n<pre class=\"brush: actionscript3; gutter: false; first-line: 1\"># service sshd restart<\/pre>\n<p><span class=\"vg\">pam \u306b\u306f\u4ed6\u306b\u3082root \u306b\u306a\u308c\u308b\u30b9\u30fc\u30d1\u30fc\u30e6\u30fc\u30b6\u30fc\u3092Wheel \u30b0\u30eb\u30fc\u30d7\u306e\u307f\u306b\u5236\u9650\u3059\u308b\u3001 \/etc\/pam.d.\/su\u00a0\u3082\u3042\u308a\u307e\u3059\u306d\u3002<br \/>\n<\/span><\/p>\n<pre class=\"brush: actionscript3; gutter: false; first-line: 1\">auth\u00a0 required pam_wheel.so use_uid \uff08\u30b3\u30e1\u30f3\u30c8\u30a2\u30a6\u30c8<\/pre>\n<p><span class=\"vg\">\u53c2\u8003\uff1a<a href=\"http:\/\/fnya.cocolog-nifty.com\/blog\/2012\/03\/centos-6aa8.html\" target=\"_blank\">http:\/\/fnya.cocolog-nifty.com\/blog\/2012\/03\/centos-6aa8.html<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u4ee5\u524d\u3001 HOSTS\u30d5\u30a1\u30a4\u30eb\u306b\u3088\u308bSSH\u306eIP\u5236\u9650\u00a0\u3092\u30a8\u30f3\u30c8\u30ea\u30fc\u3057\u307e\u3057\u305f\u304c\u3001TCP Wrapper \u3092\u901a\u308b\u30b5\u30fc\u30d3\u30b9\u81ea\u4f53\u304c\u6e1b\u3063\u3066\u304a\u308a\u3001libwrap \u30e9\u30a4\u30d6\u30e9\u30ea\u3092\u5229\u7528\u3059\u308b\u30b5\u30fc\u30d3\u30b9\u306f\u73fe\u5728\u3001SSH, PostFix \u4f4d\u3057\u304b\u3042\u308a\u307e &hellip; <a href=\"https:\/\/www.stuffy.site\/wordpress\/?p=763\" class=\"more-link\">\u7d9a\u304d\u3092\u8aad\u3080 <span class=\"screen-reader-text\">pam \u306b\u3088\u308bSSH\u306eIP\u5236\u9650<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3,63,6,17],"tags":[],"class_list":["post-763","post","type-post","status-publish","format-standard","hentry","category-linux","category-pam","category-settings","category-ssh"],"_links":{"self":[{"href":"https:\/\/www.stuffy.site\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/763","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.stuffy.site\/wordpress\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.stuffy.site\/wordpress\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.stuffy.site\/wordpress\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.stuffy.site\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=763"}],"version-history":[{"count":12,"href":"https:\/\/www.stuffy.site\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/763\/revisions"}],"predecessor-version":[{"id":1463,"href":"https:\/\/www.stuffy.site\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/763\/revisions\/1463"}],"wp:attachment":[{"href":"https:\/\/www.stuffy.site\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=763"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.stuffy.site\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=763"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.stuffy.site\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=763"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}