Controlling SSH access to a Symantec Messaging Gateway Appliance.

book

Article ID: 156882

calendar_today

Updated On:

Products

Messaging Gateway

Issue/Introduction

You wish to configure the Symantec Messaging Gateway to accept or reject connections based on hostname or IP address.

Resolution

You can use the sshd-config command with the --add/-a option in conjunction with the "allow" or "deny" argument to allow to block ssh access from hosts.

You may also use the following keywords.

ALL --Matches any address.

LOCAL -- Matches any host whose name does not contain a dot character.

KNOWN -- Matches any host whose name and address are known.

UNKNOWN --Matches any host whose name or address are unknown.

The use of the KNOWN and UNKNOWN options depend on DNS service to resolve information.

Additional information about sshd-config can be found by using the sshd-config --help command or referring to the Administration Guide.

Examples:

To limit access to the SMG CLI to only a single internal network, perform the following

smg> sshd-config -a ALLOW 192.168.1.0/255.255.255.0
smg> sshd-config -a DENY ALL
smg> sshd-config --list
ALLOW

  1: 192.168.1.0/255.255.255.0

DENY
  1: ALL

To add an additional allowed host

smg> sshd-config -a ALLOW 10.0.0.1
smg> sshd-config --list
ALLOW
  1: 192.168.1.0/255.255.255.0

  2: 10.0.0.1

DENY
  1: ALL

To then remove the 192.168.1.0 network

smg> sshd-config -d ALLOW 1
smg> sshd-config --list
ALLOW
  1: 10.0.0.1

DENY
  1: ALL