How to restrict and except SSH access to specific IPs

Once your IP is public it gets attention from so many bots in the internet that do brute force and dictionary attacks to “guess” your passwords so it is always the best to lock SSH access to a list of your trusted static IPs (such as your companies VPN IPs

For this tutorial we will use Linux’s host.allow and host.deny file which is pretty straight forward

Step 1

Now we will allow a list of known IPs who should be able to login to SSH. For that we need to add an entry to /etc/hosts.allow file, so we go ahead and open it again with your favorite editor ?

nano /etc/hosts.allow

and add the following lines to allow the whitelisted IP blocks to your public SSH.

sshd: 10.20.30.40, 10.30.40.50, 10.15.25.35/28

This line will allow all the comma separated IP blocks to your SSH port

Note: make sure you double check the IP addresses, or you will be blocked by SSH

Step 2

Open up /etc/hosts.deny file using your favorite text editor

nano /etc/hosts.deny

and add the following lines to deny all SSH connections to your public SSH port

sshd: ALL

This code will block all incoming SSH requests on your SSH port

Conclusion

This will protect you from brute force attacks and messages like “There was 9999 failed login attempt since the last successful login.”

  • SSH access
  • 0 användare blev hjälpta av detta svar
Hjälpte svaret dig?

Relaterade artiklar

SSH login without password

You want to use Linux and OpenSSH to automate your tasks. Therefore you need an automatic login...

How to remove a Linux user

How do I drop or remove old users account from my Linux server? I can login using the user’s SSH...

How to lock and unlock user account in linux

With the help of two commands you can lock and unlock the user account in Linux. To Lock the...

Adding a user to a group

Synopsis This article describes how to add a Linux user (account) to a group. Environment...

Create a user with no password

This article shows you how to create a user account without a password or an empty password on...

Powered by WHMCompleteSolution