Limit SSH access to specific clients by IP address

by

How do we allow certain set of Private IPs to enter through SSH login(RSA key pair) into Linux Server?

Contents hide
Answers:
Method 1
Option 1: Filtering with IPTABLES
Option 2: Using TCP wrappers
Option 3: SSH daemon configuration
Method 2
Method 3
Method 4
Method 5

Answers:

Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.

Method 1

You can limit which hosts can connect by configuring TCP wrappers or filtering network traffic (firewalling) using iptables. If you want to use different authentication methods depending on the client IP address, configure SSH daemon instead (option 3).

Option 1: Filtering with IPTABLES

Iptables rules are evaluated in order, until first match.

For example, to allow traffic from 192.168.0.0/24 network and otherwise drop the traffic (to port 22). The DROP rule is not required if your iptables default policy is configured to DROP.

iptables -A INPUT -p tcp --dport 22 --source 192.168.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j DROP

You can add more rules before the drop rule to match more networks/hosts. If you have a lot of networks or host addresses, you should use ipset module. There is also iprange module which allows using any arbitrary range of IP addresses.

Iptables are not persistent across reboots. You need to configure some mechanism to restore iptables on boot.

iptables apply only to IPv4 traffic. Systems which have ssh listening to IPv6 address the necessary configuration can be done with ip6tables.

Option 2: Using TCP wrappers

Note: this might not be an option on modern distributions, as support for tcpwrappers was removed from OpenSSH 6.7

You can also configure which hosts can connect using TCP wrappers. With TCP wrappers, in addition to IP addresses you can also use hostnames in rules.

By default, deny all hosts.

/etc/hosts.deny:

sshd : ALL

Then list allowed hosts in hosts.allow. For example to allow network 192.168.0.0/24 and localhost.

/etc/hosts.allow:

sshd : 192.168.0.0/24
sshd : 127.0.0.1
sshd : [::1]

Option 3: SSH daemon configuration

You can configure ssh daemon in sshd_config to use different authentication method depending on the client address/hostname. If you only want to block other hosts from connecting, you should use iptables or TCP wrappers instead.

First remove default authentication methods:

PasswordAuthentication no
PubkeyAuthentication no

Then add desired authentication methods after a Match Address in the end of the file. Placing Match in the end of the file is important, since all the configuration lines after it are placed inside the conditional block until the next Match line. For example:

Match Address 127.0.0.*
    PubkeyAuthentication yes

Other clients are still able to connect, but logins will fail because there is no available authentication methods.

Match arguments and allowed conditional configuration options are documented in sshd_config man page. Match patterns are documented in ssh_config man page.

Method 2

Here some additional configuration for SSH daemon to extend previous answer:

  • Add user filtering with AllowUsers option in sshd_config file: 
    AllowUsers <a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="2e444146404a414b6e1f171c001f1816001f00">[email protected]</a>* <a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="a5c4c1c8cccb97e5949c978b94939d8b948b">[email protected]</a>* otherid1 otherid2

    This allows johndoe and admin2 only from 192.168.1.* addresses and otherid1, otherid2 from anywhere.

  • Restrict a ssh key or ca-based key to a set of addresses in .ssh/authorized_keys file of a given user’s home directory: 
    from="192.168.1.*,192.168.2.*" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABA...etc...mnMo7n1DD useralias

    In this example, the public key for useralias will be effective only from given addresses.

Method 3

If you don’t mind installing UFW:

sudo ufw allow from 192.168.1.0/24 to any port 22

EDIT:

As previous mentioned it’s a good practice to only authenticate using keys instead of passwords which can be done by editing /etc/ssh/sshd_config:

PubkeyAuthentication yes
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM no

Method 4

If you’re using SSH CA for client authentication, you can specify the source-address option when signing certificates:

ssh-keygen -s ca_privkey -O source-address=172.16.0.0/16 id_rsa.pub
                         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

The certificate id_rsa-cert.pub can be used to log in to hosts only from 172.16.0.0/16 addresses (not even 127.0.0.1 unless you specify that as well).

man 1 ssh-keygen is a good document if you want more details.

Method 5

Another way you can limit access to sshd on a GNU/Linux system at the socket level with a built-in (assuming init is systemd 235+ and kernel 4.11+) is by utilizing systemd with cgroup/eBPF access lists

Modify the base sshd systemd stanza

sudo systemctl edit sshd

Append the sshd [Service] stanza to your liking

[Service]
#requires systemd 235+ and kernel 4.11+
IPAccounting=yes
IPAddressDeny=any
IPAddressAllow=192.18.1.22
IPAddressAllow=10.161.0.0/16
IPAddressAllow=100.64.0.0/24

reload for immediate effect

sudo systemctl daemon-reload


All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

0 0 votes
Article Rating
Subscribe
Notify of
guest

0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x