Restrict SSH to one interface

How can I restrict incoming SSH connection request to only one interface? I'm using Ubuntu Server 10.04 LST.

I want to lock down access to SSH to only one interface because I use the server as a gateway to my home network. One interface is connected to the DSL modem/router and the other is connected to the home network. I only want to allow access to SSH form inside the home network.

Is restricting SSH to one IP in this case sufficient? Or do I have to lock it down to one interface?

Solution 1:

In the following file:

 /etc/ssh/sshd_config 

You'll see a line like:

#ListenAddress 0.0.0.0

This is commented out, but is the default, to list on all IP addresses for ssh requests. You can change this so that it is the IP address of the interface you want to accept connections on, and so only that IP address will accept ssh connections:

ListenAddress 111.222.111.222

Restart the sshd service once changed.

Solution 2:

Try installing a firewall and only allow SSH on one interface. My preferences is Shorewall which is an installable package on Ubuntu. You will need to configure it before it will start, but it is well documented and comes with several example configurations.

I use a mostly closed firewall with only the ports required open. If all you want to do is limit the interface SSH is allowed on you can use a REJECT or DROP action for ssh on the other interfaces. I would suggest if you are building a firewall you at least limit access on Internet facing interfaces.