Configuring SSHD to limit access to your deployment

How to configure SSHD in order to limit host access to your VMware deployment.

About this task

The following example shows how to configure SSHD in order to limit VMware access to a certain set of IP addresses.

Attention:
  • SSHD configuration settings are not included in the IBM® API Connect backups. However, the settings are kept when you upgrade to a new fix pack.
  • If you change the SSHD cipher level, and encounter issues with the new configuration, you must revert your cipher changes and retest. If after the retest you still have issues, then contact IBM Support.

Procedure

  1. Log in to the target virtual machine by using an SSH tool, and switch to the root user. For example, to log in to the Management subsystem, run the following commands: 
    ssh ip_address -l apicadm 
sudo -i
  2. Move to the following folder: 
    /etc/ssh/sshd_config.d
  3. Create a new configuration file with the extension .conf that contains the IP address of the host that you want to allow to access your deployment.
    For example, to create the file run the following command:
    vi filename.conf

    Then, edit the file by using the following format, which in this example is allowing users from IP address 123.135.1.2:

    AllowUsers *@123.135.1.2
    Additional hosts can be added by separating the IP address patterns with a space. For example:
    AllowUsers *@123.135.1.2 *@135.168.1.2
  4. Restart the SSHD service by running the following command: 
    systemctl restart sshd.service

Results

Access to your VMware is now limited to a certain set of IP addresses.

What to do next

If you want to remove a cipher from your SSHD configuration, you can edit the /etc/ssh/sshd_config file. For example, if your security department decides that you must stop using the 128 bit UMAC cipher, you can remove it from your supported ciphers list by editing the /etc/ssh/sshd_config file and changing the following line from:
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
to:
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
Then restart the SSHD service by running the following command:
systemctl restart sshd.service