In some cases, you may want to restrict access to the SSH/Telnet server based on a variety of criteria advancing the level of security.
This tutorial will show you how to restrict access based on IP address, however, you may also restrict access to the Telnet/SSH Server based on User ID. The next tutorial will show how to restrict access based on User ID.
For each restriction setting option (IP Address and User ID), we will discuss the general concept of what needs to occur, and then get into the acutal step-by-step guide. In these examples, we will be using the Georgia Softworks Telnet and SSH Server for Windows.
To Restrict Telnet/SSH Access Based on IP Address:
You must create the file: thosts
The file must reside in the Georgia SoftWorks Universal Terminal Server installation directory. The directive [EXCLUDE] indicates if the IP Addresses should be excluded from connection. NOTE: The System account must have permission to read the thosts file.
The rules are simple for setting up the thosts file.
- It is a text file
- The # character is the comment character
- [EXCLUDE] directive placed in the 1st line will force the interpretation as the exclusion file, otherwise only IP addresses listed are allowed.
- Data after the IP address is ignored and therefore can be used for additional comment data. Following are example thosts files.
Example - IP Restriction - Restrict Certain Hosts from Connecting
Bill and Tom have machines that are in a public location and are not secure. The system administrator does not want to allow SSH2/Telnet access from those machines. However, Bill and Tom have other machines that need SSH2/Telnet access to the server. This is how to set up the thosts file to exclude those particular machines. Information needed:
IP address of Bill's machine: 220.127.116.11
IP address of Tom's machines: 18.104.22.168
Edit the file thosts and add the following lines. [EXCLUDE] # Here is the list of hosts that are not allowed to log in via SSH2/Telnet:
22.214.171.124 (Bob's machine)
126.96.36.199 (Tom's machine)
Now let’s look at the contents of the file. The [EXCLUDE] directive specifies that all IP addresses listed in the thosts file are not allowed to connect via telnet. The next line is a comment reminding the System Administrator that the following Host IP addresses will not be allowed to connect via SSH2/Telnet . Next is the list of Host IP addresses to exclude. The list can be as long as you desire.
Example: Restriction: Allow Only Specific Hosts to Connect
ACME Accounting has 3 remote locations. For the machines at each location there may be dozens of different users that may be connecting at different times of the day. The system administrator only wants to allow SSH2/Telnet connections from the 3 remote locations. However, the ACME remote Location 3 office is temporally closed and is under remodeling. Therefore, the system administrator wants to easily comment remove them from the "allowed" list and quickly add them back as soon as the office reopens.
IP address of ACME accounting location 1 machine: 188.8.131.52
IP address of ACME accounting location 2 machines: 184.108.40.206
IP address of ACME accounting location 3 machines: 220.127.116.11
Edit the file thosts and add the following lines.
Here is the list of hosts that are allowed to log in via SSH2/Telnet
18.104.22.168 (ACME accounting location 1 machine)
22.214.171.124 (ACME accounting location 2 machine)
Let’s not allow location 3 until the office reopens. 126.96.36.199 (ACME accounting location 3 machine)
How to Restrict Connections from 3rd Party Clients on GSW SSH/Telnet Client This feature allows connections only from the Georgia SoftWorks SSH2/Telnet Client. This is another level of security that the system administrator can configure. Many times, the system administrator will not want users using any generic client to connect to his or her system.
The variable EnableRFC854Clients is a registry key value. This Registry key enables or disables the ability to restrict connection from 3rd party clients. If it is disabled then only users using the Georgia SoftWorks SSH2/Telnet client are allowed to connect. The key is: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\GS_Tnet\Parameters\EnableRFC854Clients The default value is 1(That is enabled.) The value 1 enables the ability for connection from all telnet/SSH clients. The value 0 restricts connection to the Georgia SoftWorks Telnet/SSH client.
This is how to change the registry key for 3 rd Party Client Restriction. Note: You must be on the Windows system that the Georgia SoftWorks Windows UTS is installed. However, you may connect to the Windows Registry from a remote location.
Steps to Only Allow Connections form the GSW SSH/Telnet Client:
Click the Start button at the bottom left corner of your screen.
Select Registry Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\GS_Tnet\Parameters\EnableRFC854Clients
Select the menu item Edit and then click on Modify
Enter the new value for the EnableRFC854Clients and click OK
The new value will take effect for all new connections.