Linux Administration Cookbook
上QQ阅读APP看书,第一时间看更新
上一章目录下一章

Changing the listen address

By default, SSH will listen on all addresses and interfaces:

#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

We're going to change this so that it's listening on only IPv4 and our eth1 address.

Change the preceding options to the following:

AddressFamily inet
ListenAddress 192.168.33.11
#ListenAddress ::

We've uncommented two of the options and changed their values.

In the preceding block, you may have noticed that ListenAddress :: is also listed. Here,  :: is the IPv6 equivalent of 0.0.0.0 in IPv4.

Restart the SSH daemon:

[vagrant@centos2 ~]$ sudo systemctl restart sshd

Running our ss command from before, you may notice that the IPv6 option has disappeared:

[vagrant@centos2 ~]$ ss -nl sport = :2222
Netid State      Recv-Q Send-Q   Local Address:Port                  Peer Address:Port              
tcp   LISTEN     0      128      192.168.33.11:2222                             *:*

If we now exit our session to centos2 (using Ctrl + D) and try to SSH to the IPv6 link-local address, it will fail:

[vagrant@centos1 ~]$ ssh fe80::a00:27ff:fe56:c5a7%eth1 -p2222
ssh: connect to host fe80::a00:27ff:fe56:c5a7%eth1 port 2222: Connection refused

A great success—we've squashed any possibility of trend-setters logging into our server on IPv6!

On to a serious note for a minute, I've been hearing about the demise of IPv4 and the rise of IPv6 for years, pretty much since I started in computing. In that time, not much has changed, and both carriers and service providers have continued to eke everything they can out of IPv4, even introducing horrible things such as Carrier-grade NAT. I do hope that IPv6 picks up steam, not least because we're effectively out of IPv4 addresses to allocate.
上一章目录下一章