SSH binding to single NIC

[AnotherAlan]

Hi All,

I have a specific problem that I cannot work out.

I have been asked to provide a Red Hat EL 5.1 server with two NIC's, and two IP's.
NIC1 is externally facing and within a DMZ that will accept requests over port 22, 80 and 443.
The application that sits here will reverse proxy these requests to an internal DMZ based server.
The secondary, NIC2, should not pick up any of these external requests and ideally should not be listening on these ports. However, from an admin perspective, I will need to ssh to NIC2 from inside my network.

I figure I can amend sshd_config to listen on NIC1, but not sure how I could then achieve ssh over NIC2.
Again, IPTABLES may be able to help me but I guess what I'm really looking for is a way to configure each NIC independently.

I hope this makes sense because the more I think about it the more confused I get, it is Friday after all.

All help appreciated.

 

[elgrandeperro]

Well I think you need 2 sshd instances with different sshd_configs with different bound ips. At least that seems the simple answer.

 

[nauliv]

are NIC1 and NIC2 in the same subnet ?

 

[IRudebwoy]

By default, sshd will listen on all interfaces unless told not to. You can add a line like so

ListenAddress 0.0.0.0

to make sshd listen on all interfaces.

Then (I would) use iptables to trim down what ports are open for use, especially on the DMZ side.

FYI: If you're allowing ssh connections from the internet side be prepared for probes once it is known by anyone lurking about looking for mischief.

 

[AnotherAlan]

Thanks to all for your replies.
Some good advice here.

Nauliv, I can put these NIC's on to the same or seperate subnets.Whichever makes it easier for the configuration.

Elgrandeperro, Would this really be as simple as creating a second sshd_config file? I've never done this before.

Irudebwoy, IPTABLES..aarrraghh, back to the manuals for me then.

Cheers

 

[Edcrosbys]

No need to create another instance of sshd unless you need different configuration running. Using the line that IRudebwoy gave, one instance will listen to multiple interfaces.

Before worrying about iptables, I'd get sshd setup to listen to both ports (change sshd_config and kill -HUP it) and just try to connect. If it doesn't work then, check out iptables.

 

[elgrandeperro]

Yes, by default ssh is listening on all nic ports. I misinterpreted your aim.

 

[warmongr]

Not that Edcrosbys is not doing a fine job explaining things however a combination of IPTABLES and or TCP Wrappers will help you tighten down your sshd. I certainly agree that you need to limit who gets ssh from outside your forward facing interface. Either or both of these services (IPTABLES/WRAPPERS) will help with that.

Examples can be found at

http://linux.about.com/od/commands/l/blcmdl5_hostsal.htm

N

 

[AnotherAlan]

Thanks to all who have contributed to this discussion.
These are good ideas on how to go about this...just need to crack on with the manuals...I knew I should have attended the RHCE course.;-)

Much appreciated
Al