how to restrict ssh login to a specific ip or host

Question

i want to restrict my ssh login only for one ip address so i modified the following file

$ nano /etc/ssh/sshd_config

and added this line (i.e. my ip ) hoping that it will work

 ListenAddress 172.168.0.21

but no luck connection refused i don't want to use any iptables thing. Why its not working this way , how can i fix it and , any explanation ?

Why don't you want to use "any iptables thing"? That will do what you want simply and securely, and knowing how to use it will serve you well for every other network tool you want to secure. — dunxd, Nov 30 '10 at 13:12
Another way to do this today would be via [systemd](https://unix.stackexchange.com/a/644320/19025) — joshbaptiste, Apr 09 '21 at 16:50

score 12 · Answer 1 · answered Nov 30 '10 at 13:12

You could use the AllowUsers directive in /etc/ssh/sshd_config e.g.

AllowUsers you@ip.add.re.ss

If you make any changes in your sshd_config file don't forget to restart sshd.

from the sshd_config manpage

This keyword can be followed by a list of user name patterns,
separated by spaces.  If specified, login is allowed only for
user names that match one of the patterns.  ‘*’ and ‘?’ can be
used as wildcards in the patterns.  Only user names are valid; a
numerical user ID is not recognized.  By default, login is
allowed for all users.  If the pattern takes the form USER@HOST
then USER and HOST are separately checked, restricting logins to
particular users from particular hosts.

To restrict to a specific host you can use `AllowUsers *@yourhost.com` in your sshd_config — shreddd, Jun 30 '16 at 02:39

score 7 · Accepted Answer · answered Nov 30 '10 at 13:41

I must agree with dunxd, IPTables should not be discounted as a viable approach. You are in luck, however, since you can leverage tcpwrappers to the same functional end. Although more complex than on the surface, tcpwrappers essentially boils down to two files: /etc/hosts.allow and /etc/hosts.deny If these files do not yet exist, you can safely create them as empty files: sudo touch /etc/hosts.{allow,deny}.

Now it's time for things to get a little more complicated. The "best" approach to securing network access is to set your default, and only, hosts.deny entry to ALL:ALL, however, this may result in unintended access restrictions. For this reason, and the purposes of this question, it should be sufficient to enter sshd:ALL in /etc/hosts.deny which will disallow all ssh access to the host.

All entries in /etc/hosts.allow, as far as sshd is concerned, will now supersede the default deny rule: sshd: 172.168.0.21 will permit access to host 172.168.0.21 only and deny all others.

The tcpwrappers files accept a comma-separated list of entries, so you can append addresses to the first entry above. tcpwrappers also accept partial IP addresses as subnets, so you could allow the entire 172.168.0.0/24 as sshd: 172.168.0.

Please reference the man page for additional details. tcpwrappers is actually very feature-full and I recommend reading more than my brief examination above.

ALL: ALL EXCEPT 172.168.0.21 in hosts.allow file seems to work fine is that ok — jspeshu, Nov 30 '10 at 13:48
@jspeshu - Without testing it I would have expected that to be the opposite behavior, unless you placed it in /etc/hosts.deny, however, if it is working for you then I'd run with it. Something that I neglected to mention earlier, not all daemons respect tcpwrappers, so you should always verify that one does before leveraging this tool to control access. In this case SSH is pretty friendly. — Tok, Nov 30 '10 at 13:57
@jspeshu - No need to apologize; you just made me scratch my head a little harder this morning. That entry in hosts.deny should definitely do the trick, plus you get the added benefit of only have to go to 1 place if and when you need to make changes. — Tok, Nov 30 '10 at 14:16

score 0 · Answer 3 · answered Nov 30 '10 at 12:59

0

Without iptables i would say it's impossible.

Using ListenAddress in sshd_config means you bind the ssh daemon to that specific (local) ip address. If the ip address isnt on your system sshd might fail.

It seems sshd also uses libwrapper so you can also define the following :

in /etc/hosts.allow sshd: \< ip address you allow access from >

in /etc/hosts.deny ALL: ALL

Of course i would advise you to read the man pages of the packages involved.

answered Nov 30 '10 at 12:59

Riccardo B.

131
4

@Riccardo if that is the case, what is the purpose of "ListenAddress" . Only to say 127.0.0.1 or 0.0.0.0 – jspeshu Nov 30 '10 at 13:10
1

It is the IP address that SSH is listening on. Not the address it is listening to. – dunxd Nov 30 '10 at 13:11
@dunxd you really didn't answer my q? i mean what exactly is the purpose of "ListenAddress" sorry i hate to be rude – jspeshu Nov 30 '10 at 13:38
1

The purpose of ListenAddress is to define the IP address that your SSH server is listening for SSH connections with. Your server may have multiple IP addresses, so you use ListenAddress to say which one someone can use to make an SSH connection on. It has *nothing* to do with the IP address of the person trying to make an SSH connection. – dunxd Nov 30 '10 at 13:45
1

@jspeshu: If you have multiple interfaces on your server then by default sshd will listen on all of them. By using the ListenAddress directive you can specify which interfaces are used. – user9517 Nov 30 '10 at 13:49

how to restrict ssh login to a specific ip or host

3 Answers3

Linked