Recipe 3.13 Restricting Access to an SSH Server by Host

3.13.1 Problem

You want to limit access to sshd from specific remote hosts.

3.13.2 Solution

Use sshd's built-in TCP-wrappers support. Simply add rules to the files /etc/hosts.allow and /etc/hosts.deny, specifying sshd as the service. For example, to permit only to access your SSH server, insert these lines into /etc/hosts.allow:

sshd: ALL: DENY

3.13.3 Discussion

There is no need to invoke tcpd or any other program, as sshd processes the rules directly.

TCP-wrappers support in sshd is optional, selected at compile time. Red Hat 8.0 includes it but SuSE does not. If you're not sure, or your sshd seems to ignore settings in /etc/hosts.allow and /etc/hosts.deny, check if it was compiled with this support:

$ strings /usr/sbin/sshd | egrep 'hosts\.(allow|deny)'

If the egrep output is empty, TCP-wrappers support is not present. Download OpenSSH from (or use your vendor's source RPM) and rebuild it:

$ ./configure --with-libwrap ...other desired options...
$ make
# make install

3.13.4 See Also

sshd(8), hosts_access(5).

    Chapter 9. Testing and Monitoring