Results 1 to 6 of 6

Thread: Does systemd allow starting the sshd.service when a specific IP tries to access via SSH?

  1. #1
    Join Date
    Oct 2009
    Location
    Germany
    Posts
    503

    Default Does systemd allow starting the sshd.service when a specific IP tries to access via SSH?

    Hi,
    the sshd.service is disabled on my main system (no autostart via systemd when the system boots) if i need it i just start it. But i just had an idea and i am curious if this actually works. I have no idea what systemd is capable of but i know that it brings some interesting stuff like socket activation. So i am wondering if it is possible for systemd to activate the sshd.service when needed? In general, if someone tries to access the pc via ssh? And what about restrictions, like only from the local network or only from a specific ip? Is that possible?

  2. #2
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    11,381
    Blog Entries
    2

    Default Re: Does systemd allow starting the sshd.service when a specific IP tries to access via SSH?

    Ordinarily you should leave the service running, that's the whole purpose and difference between a service and an application.
    You then configure your security to allow specific access, like only to remote machines with specific IP addresses, domain or host authentication, certificates, etc.

    Nowadays, machines and network connections are likely powerful or capable enough to withstand attacks, but if that concerns you, you can do things like install fail2ban, activate your ssh daemon by email, etc.

    But, particularly if you use some strong method of authentication like certificates and have a network adapter that offloads processing from the CPU, that should ordinarily be enough.

    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

  3. #3
    Join Date
    Sep 2012
    Posts
    5,186

    Default Re: Does systemd allow starting the sshd.service when a specific IP tries to access via SSH?

    Quote Originally Posted by sabo007 View Post
    And what about restrictions, like only from the local network or only from a specific ip?
    Use firewall to restrict IP that is allowed to connect to port 22.

  4. #4
    Join Date
    Jun 2008
    Location
    Netherlands
    Posts
    25,256

    Default Re: Does systemd allow starting the sshd.service when a specific IP tries to access via SSH?

    Quote Originally Posted by sabo007 View Post
    Hi,
    the sshd.service is disabled on my main system (no autostart via systemd when the system boots) if i need it i just start it. But i just had an idea and i am curious if this actually works. I have no idea what systemd is capable of but i know that it brings some interesting stuff like socket activation. So i am wondering if it is possible for systemd to activate the sshd.service when needed? In general, if someone tries to access the pc via ssh? And what about restrictions, like only from the local network or only from a specific ip? Is that possible?
    Apart from the other advices, just think of it. The "system" (whatever software it is) can only detect if some other system's ssh client wants to connect to the ssh server if it is "listening" on port 22. In other words, there must be a process that registered with the kernel that it wanted to be warned and given control is a connect request arrives for port 22. That procfess is normalt sshd.

    Now in earlier Unix/Linux times, when system resources where much more restricted then now, some systems had many processes "listening" on many ports. All those processes where in the sytem, more or less sleeping, but still using resouces (e.g. memory). As a remedy, xinetd was invented. That is a (only one and rather small) deamon that listens om all those ports needed (see xinetd.conf) and when woken up by the kernel because of contact on a posrt, it starts the real sshd/ftpd/rsyncd/whateverd to do the work. That takes of course some extra reaction time to get the connection established, but it is a trade off.

    You still can do that. But if you only have sshd to configure in xinetd and taking into account todays amount of memeory, etc. in a system, I wonder if it is worth to do it.

    I am not for sure, but as systemd is trying to do a lot of things, it could be that systemd has a mechanism where it can "listen" on a port and then start sshd when needed (same like xinetd). But again some process must "listen", there is no magic.
    Henk van Velden

  5. #5
    Join Date
    Jun 2008
    Location
    Auckland, NZ
    Posts
    20,552
    Blog Entries
    1

    Default Re: Does systemd allow starting the sshd.service when a specific IP tries to access via SSH?

    Quote Originally Posted by hcvv View Post
    I am not for sure, but as systemd is trying to do a lot of things, it could be that systemd has a mechanism where it can "listen" on a port and then start sshd when needed (same like xinetd). But again some process must "listen", there is no magic.
    Yes, systemd has socket activation, (I recall some distros employing it for cups a few years back for example), however there are discussions around some of the intricacies/issues involved with respect to doing this for sshd. For example

    https://bugzilla.redhat.com/show_bug.cgi?id=963268
    https://bugs.debian.org/cgi-bin/bugr...cgi?bug=867762
    https://systemd-devel.freedesktop.na...-based-systems
    openSUSE Leap 15.1; KDE Plasma 5

  6. #6
    Join Date
    Jun 2008
    Location
    Groningen, Netherlands
    Posts
    19,983
    Blog Entries
    14

    Default Re: Does systemd allow starting the sshd.service when a specific IP tries to access via SSH?

    FWIW: on 2 VPS's I have ListenAddress set to some other IP in /etc/ssh/sshd.service. This means I can access those 2 only from that other IP. Last time I tested, this worked as the OP desires.
    ° Appreciate my reply? Click the star and let me know why.

    ° Perfection is not gonna happen. No way.

    https://en.opensuse.org/openSUSE:Board#Members
    http://en.opensuse.org/User:Knurpht
    http://nl.opensuse.org/Gebruiker:Knurpht

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •