How to restrict "Remote Login" (ssh) access to only certain IP ranges?
Can someone please tell me how to restrict SSH access only to certain IP ranges (e.g. local network) and not the whole Internet? I guess this has to be done via firewall.
From man sshd
:
/etc/hosts.allow
/etc/hosts.deny
Access controls that should be enforced by tcp-wrappers are defined here.
Further details are described in hosts_access(5).
https://debian-administration.org/article/87/Keeping_SSH_access_secure offers these examples:
# /etc/hosts.allow
sshd: 1.2.3.0/255.255.255.0
sshd: 192.168.0.0/255.255.255.0
# /etc/hosts.deny
sshd: ALL
The TCP wrapper program in Mac OS X is: tcpd
I did not test this, but I'd try this in terminal:
sudo ipfw add allow src-ip 10.0.0.0/8,172.16.0.0/16,192.168.0.0/16 dst-ip me dst-port 22
sudo ipfw add reject src-ip any dst-ip me dst-port 22
If you are behind a router and didn't map the port to your computer, that effectively disables SSH access from the internet.