ListenAdress Exclusion

Larry Becke llbecke at gmail.com
Tue Jun 24 02:39:48 EST 2014


I was wondering what everyone's thoughts were on a simpler way to exclude
addresses from having listeners on them.

I know a lot of people have multiple subnets, especially larger
corporations.

Some networks are non-route-able, and therefor unsuitable for use with SSH,
aside from communication between other servers on the same subnet.

Given that we may want to exclude those non-route-able subnets / vlans from
SSH use, I am proposing that rather than listing all of the acceptable
vlans for listeners, that we use the following format to build an exclusion
list.

That would be like

ListenAddress 0.0.0.0
ListenAddress !192.168.0.0/24
ListenAddress !192.168.1.0/24

I have searched through the man pages and openssh documentation and have
found nothing to this kind of configuration, with everyone talking about
using tcp wrappers or iptables to block ssh from accepting connections on
different subnets.

I feel that this would be a simpler way to prevent ssh from even starting
on those subnets.


Thanks for your time and consideration.

Larry Becke


More information about the openssh-unix-dev mailing list