1. Home
  2. Linux systems
  3. Linux security

Recipe 3.13 Restricting Access to an SSH Server by Host

3.13.1 Problem

You want to limit access to sshd from specific remote hosts.

3.13.2 Solution

Use sshd's built-in TCP-wrappers support. Simply add rules to the files /etc/hosts.allow and /etc/hosts.deny, specifying sshd as the service. For example, to permit only 192.168.0.37 to access your SSH server, insert these lines into /etc/hosts.allow:

sshd: 192.168.0.37
sshd: ALL: DENY

3.13.3 Discussion

There is no need to invoke tcpd or any other program, as sshd processes the rules directly.

TCP-wrappers support in sshd is optional, selected at compile time. Red Hat 8.0 includes it but SuSE does not. If you're not sure, or your sshd seems to ignore settings in /etc/hosts.allow and /etc/hosts.deny, check if it was compiled with this support:

$ strings /usr/sbin/sshd | egrep 'hosts\.(allow|deny)'
/etc/hosts.allow
/etc/hosts.deny

If the egrep output is empty, TCP-wrappers support is not present. Download OpenSSH from http://www.openssh.com (or use your vendor's source RPM) and rebuild it:

$ ./configure --with-libwrap ...other desired options...
$ make
# make install

3.13.4 See Also

sshd(8), hosts_access(5).



    		Preface
    		Chapter 1. System Snapshots with Tripwire
    		Chapter 2. Firewalls with iptables and ipchains
    		Chapter 3. Network Access Control
    		Recipe 3.1 Listing Your Network Interfaces
    		Recipe 3.2 Starting and Stopping the Network Interface
    		Recipe 3.3 Enabling/Disabling a Service (xinetd)
    		Recipe 3.4 Enabling/Disabling a Service (inetd)
    		Recipe 3.5 Adding a New Service (xinetd)
    		Recipe 3.6 Adding a New Service (inetd)
    		Recipe 3.7 Restricting Access by Remote Users
    		Recipe 3.8 Restricting Access by Remote Hosts (xinetd)
    		Recipe 3.9 Restricting Access by Remote Hosts (xinetd with libwrap)
    		Recipe 3.10 Restricting Access by Remote Hosts (xinetd with tcpd)
    		Recipe 3.11 Restricting Access by Remote Hosts (inetd)
    		Recipe 3.12 Restricting Access by Time of Day
    		Recipe 3.13 Restricting Access to an SSH Server by Host
    		Recipe 3.14 Restricting Access to an SSH Server by Account
    		Recipe 3.15 Restricting Services to Specific Filesystem Directories
    		Recipe 3.16 Preventing Denial of Service Attacks
    		Recipe 3.17 Redirecting to Another Socket
    		Recipe 3.18 Logging Access to Your Services
    		Recipe 3.19 Prohibiting root Logins on Terminal Devices
    		Chapter 4. Authentication Techniques and Infrastructures
    		Chapter 5. Authorization Controls
    		Chapter 6. Protecting Outgoing Network Connections
    		Chapter 7. Protecting Files
    		Chapter 8. Protecting Email
    		Chapter 9. Testing and Monitoring
    		Colophon