How to restrict "Remote Login" (ssh) access to only certain IP ranges?

ssh firewall

Can someone please tell me how to restrict SSH access only to certain IP ranges (e.g. local network) and not the whole Internet? I guess this has to be done via firewall.


From man sshd:

/etc/hosts.allow
/etc/hosts.deny
Access controls that should be enforced by tcp-wrappers are defined here.  
Further details are described in hosts_access(5).

https://debian-administration.org/article/87/Keeping_SSH_access_secure offers these examples:

# /etc/hosts.allow
sshd: 1.2.3.0/255.255.255.0
sshd: 192.168.0.0/255.255.255.0

# /etc/hosts.deny
sshd: ALL

The TCP wrapper program in Mac OS X is: tcpd


I did not test this, but I'd try this in terminal:

sudo ipfw add allow src-ip 10.0.0.0/8,172.16.0.0/16,192.168.0.0/16 dst-ip me dst-port 22
sudo ipfw add reject src-ip any dst-ip me dst-port 22

If you are behind a router and didn't map the port to your computer, that effectively disables SSH access from the internet.

Related

Can timestamps be preserved when copying files on OS X?
MacOS 10.14 Mojave public beta public Wi-Fi problem
Is there a problem with closing the lid of a MacBook Pro when using an external monitor?
Simplest way to prevent iTunes from automatically launching when iPhone/iPad is connected
Spotlight re-indexing takes too long or doesn't work
Reinstall Mac OS X Mountain Lion before selling a Mac
OS X 10.9: where are password hashes stored
Delete all backups of specific file/folder with tmutil
Force URL link to open with a specific browser
How to list all available .plist keys on a certain domain application by defaults command?
ntpd not updating time
How can I stop spaces from switching automatically?