I need to restrict connections to an openssh server to only three or four IP addresses. I know I can, on the CentOS 7 and Oracle Linux boxes, use firewalld or TCP wrappers. However, some of the servers on the network do not support firewalld or have a build of openssh that doesn't include libwrap.so. Those need an ssh solution.
I've tried different variations such as these but, so far, I either get locked out completely or anyone can get in.
Match Address !10.222.79.74,!10.222.79.75,!172.23.10.22,!10.217.184.58
DenyUsers *@*
DenyUsers *@*
Match Address 10.222.79.74,10.222.79.75,172.23.10.22,10.217.184.58
AllowUsers *@*
Is there a way to do this?
OK, I am officially a DA.
I set the log level to debug and, from looking at the most recent login, I realized I was testing from one of the IPs on the allowed list. I tried it from a different client and the following works as expected.
Match Host *,!10.222.79.74,!10.222.79.75,!172.23.10.22,!10.217.184.58
DenyUsers *
Apologies for wasting your time.
According to sshd_config man page (OpenSSH_8.0p1):
So I guess the first example looks like the correct one.
Please note: I have strong feeling this changed recently (from the LAST value to be used) so please check your man pages. And (as I just checked it) it doesn't look like it is working as described so you may have to experiment.