Raspberry Pi – Implementing SSH – Part 1

By default, SSH is installed on Raspian. In a production environment, you might want to limit who can access the RPi even via SSH You can do so with the /etc/hosts.allow file. Using this example (changing the ip address for the address of the workstation you are testing from) will block access to that workstation on SSH –

add a line like this to /etc/hosts.allow to block a specific host –
sshd : 192.168.15.161 : deny
[youtube]http://youtu.be/jt3Kks4YTks[/youtube]
Finding the name of the process to put in the hosts.allow file involved looking at the /var/log/auth.log file to identify the running process involved. That is what told me that I needed to use sshd instead of ssh as I would have expected. Anytime that you make a change to the hosts.allow file, you will need to restart the ssh service – sudo service ssh restart

If you want to allow only a specific workstation to get in via SSH and block all others, you would use something like this –

sshd : 192.168.15.161 : allow
sshd : 192.168.15. : deny

Using only 192.168.15. acts like a wildcard and blocks all workstations that didn’t match on the earlier rule.

To see what activity your RPi has been having on SSH, do a tail of /var/log/auth.log (tail /var/log/auth.log) to see the last few lines of the file. You should see any files that have been changed or command that were issued that results in a service being stopped/started.

To verify that SSH is active, use the stat -a | grep ssh
pi@raspberrypi:~$ netstat -a | grep ssh
tcp 0 0 *:ssh *:* LISTEN

When a SSH session is active, your output will look something like this –

pi@raspberrypi:~$ netstat -a | grep ssh
tcp 0 0 *:ssh *:* LISTEN
tcp 0 0 raspberrypi.local.t:ssh 192.168.15.161:52742 ESTABLISHED

If you want to remove SSH, you will use sudo apt-get remove ssh.

To see more of my posts about the Raspberry Pi, please go to http://www.ronnutter.com/category/raspberry-pi/

Send to Kindle
This entry was posted in Blog Entries, Raspberry Pi, Video Podcast and tagged . Bookmark the permalink.