Allow SFTP and place ACL on SSH connections

user2625842

2/18/23, 5:06 PM

I have a bit of a unique situation with Ubuntu 20.04. I need to allow SFTP and SSH on port 22 but I want to limit SSH console connections using an ACL. I can't do this at a port level, AFAIK, as the traffic looks the same to my firewall so all I can do is allow TCP 22 to the server.

I am already using /usr/sbin/nologin as the shell in /etc/passwd for user accounts that need to SFTP only, however, there are legitimate reasons to get console access over port 22 for some users and I do not want them brute forced or otherwise exploited.

I want to limit these console sessions (regardless of the user) to internal (private) addresses only, while still allowing SFTP from the group of public addresses defined in my firewall.

I know the easy answer to this is to just switch up to FTPS, which I have setup with vsftpd, however there are application limitations that require use of SFTP in some circumstances.

0 + 0

security

ubuntu

ssh

sftp

ubuntu-20.04

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Allow SFTP and place ACL on SSH connections

TH: อนุญาต SFTP และวาง ACL บนการเชื่อมต่อ SSH

RO: Permiteți SFTP și plasați ACL pe conexiunile SSH

RU: Разрешить SFTP и разместить ACL на соединениях SSH

VI: Cho phép SFTP và đặt ACL trên các kết nối SSH

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.