SSH cut off access to those you do not want

Want to cut off SSH access to a Linux server? If you are a Linux administrator, you will know the usefulness of one s SSH that allows you to have root operations on remote systems.

Due to the importance of the function it is very likely that you have already taken many measures to lock down SSH access. The use of an SSH key for control αντί για ένα απλό password, και η αλλαγή της SSH port (22), may be the first steps you need to take, but it is not enough.

Below we will see one more step you can take. It is so easy and obvious that most managers forget that it exists as an option. This step does not require third-party software and can be configured in seconds.

What you will need

  • A Linux server running SSH
  • The IP addresses of each client that needs access to the server

You should also have access to the remote server console in case something goes wrong and you are locked out, like every time you tease SSH.

The first thing we need to do is allow the IP address of any client that needs SSH access to the remote server. Once you have a list of IP addresses, you can add them to /etc/hosts.allow. To do this, run the command:

su

Enter the root password, and

nano /etc/hosts.allow

At the bottom of this file, add the following:

sshd: IP

Where IP is the IP address of the remote client that needs access to the server. If you have multiple IP addresses, you can enter them as follows:

sshd: 100.53.33.77/30, 100.73.152.9/22, 100.92.100.11/51, 100.22.192.0/44

Or something like this:

sshd: 192.168.1.1/24
sshd:127.0.0.1
sshd: [::1]

Save and close the file. Nano storage is done by typing CTRL + X together, then y, and Enter

How to block all other addresses

Now that we have allowed an IP address or a list of addresses, it is time to block all other addresses. One thing you need to know is that one Linux reads the hosts.allow file first (from top to bottom), followed by hosts.deny (from top to bottom). So an SSH connection attempt from an IP address present in hosts.allow will be allowed, even though hosts.deny might block all IPs.

So, to block all other IP addresses, open the required file with the command:

nano /etc/hosts.deny

At the bottom of this file, add the following:

sshd: ALL

iGuRu.gr The Best Technology Site in Greecefgns

every publication, directly to your inbox

Join the 2.083 registrants.

SSH

Written by giorgos

George still wonders what he's doing here ...

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).