Skip to content

5.2.4 Ensure SSH access is limited

Audit#

Run the following commands and verify the output: 

# sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep -Pi '^\h*(allow|deny)(users|groups)\h+\H+(\h+.*)?$'

# grep -Pi '^\h*(allow|deny)(users|groups)\h+\H+(\h+.*)?$' /etc/ssh/sshd_config

Verify that the output of both commands matches at least one of the following lines: 

allowusers <userlist>
allowgroups <grouplist>
denyusers <userlist>
denygroups <grouplist>

Remediation#

Edit the /etc/ssh/sshd_config file to set one or more of the parameter as follows: 

AllowUsers <userlist>

OR

AllowGroups <grouplist>

OR

DenyUsers <userlist>

OR

DenyGroups <grouplist>

Default Value:

None