Hello
There is a bug in R80.40 JHF GA take 67 which allows ssh connection access from any external IP to a management station, despite only specific IPs or networks being configured as trusted clients.
We have logged a TAC and R&D are investigating. In the interim, they have suggested the following to restrict access.
-------------------------
Configure ssh daemon in sshd_config (/etc/ssh/sshd.conf) to use different authentication method depending on the client address/hostname.
First remove default authentication methods:
PasswordAuthentication no
PubkeyAuthentication no
Then add desired authentication methods after a Match Address in the end of the file. Placing Match in the end of the file is important, since all the configuration lines after it are placed inside the conditional block until the next Match line.
For example:
Match Addres 127.0.0.*
PubkeyAuthentication yes
Other clients are still able to connect, but logins will fail because there is no available authentication methods.
-------------------------
Have anyone used this to restrict traffic?
We need to restrict access to 4 /24 networks and a /32 host.
More information about Match method in sshd_config
https://linux.die.net/man/5/sshd_config
Regards,
Simon