how to restrict ssh login to a specific ip or host

ssh ubuntu

I must agree with dunxd, IPTables should not be discounted as a viable approach. You are in luck, however, since you can leverage tcpwrappers to the same functional end. Although more complex than on the surface, tcpwrappers essentially boils down to two files: /etc/hosts.allow and /etc/hosts.deny If these files do not yet exist, you can safely create them as empty files: sudo touch /etc/hosts.{allow,deny}.

Now it's time for things to get a little more complicated. The "best" approach to securing network access is to set your default, and only, hosts.deny entry to ALL:ALL, however, this may result in unintended access restrictions. For this reason, and the purposes of this question, it should be sufficient to enter sshd:ALL in /etc/hosts.deny which will disallow all ssh access to the host.

All entries in /etc/hosts.allow, as far as sshd is concerned, will now supersede the default deny rule: sshd: 172.168.0.21 will permit access to host 172.168.0.21 only and deny all others.

The tcpwrappers files accept a comma-separated list of entries, so you can append addresses to the first entry above. tcpwrappers also accept partial IP addresses as subnets, so you could allow the entire 172.168.0.0/24 as sshd: 172.168.0.

Please reference the man page for additional details. tcpwrappers is actually very feature-full and I recommend reading more than my brief examination above.


You could use the AllowUsers directive in /etc/ssh/sshd_config e.g.

AllowUsers [email protected]

If you make any changes in your sshd_config file don't forget to restart sshd.

from the sshd_config manpage 

This keyword can be followed by a list of user name patterns,
separated by spaces.  If specified, login is allowed only for
user names that match one of the patterns.  ‘*’ and ‘?’ can be
used as wildcards in the patterns.  Only user names are valid; a
numerical user ID is not recognized.  By default, login is
allowed for all users.  If the pattern takes the form USER@HOST
then USER and HOST are separately checked, restricting logins to
particular users from particular hosts.

Related

How do you administer 20 or more Linux Servers daily?
SNMP equivalent for show ip route?
How to map authenticated Apache users to their own directory?
How to stop Apache from crashing my entire server?
Renaming a windows 2003 domain?
How can I proxy multiple LDAP servers, and still have grouping of users on the proxy?
How to pass a request from one apache server to another
How to create a windows service in XP
What's in my ZFS ARC and L2ARC caches?
Getting a domain name off of the blacklist
Bridging LXC containers to host eth0 so they can have a public IP
Create a MySQL slave from another slave, but point it at the master