3.13. Restricting Access to an SSH Server by Host
Problem
You want to limit access to sshd from specific remote hosts.
Solution
Use sshd’s built-in
TCP-wrappers support. Simply add
rules to the files
/etc/hosts.allow
and
/etc/hosts.deny, specifying sshd
as the service. For example, to permit only 192.168.0.37
to access your SSH server, insert these lines into
/etc/hosts.allow:
sshd: 192.168.0.37 sshd: ALL: DENY
Discussion
There is no need to invoke tcpd or any other program, as sshd processes the rules directly.
Warning
TCP-wrappers support in sshd is optional, selected at compile time. Red Hat 8.0 includes it but SuSE does not. If you’re not sure, or your sshd seems to ignore settings in /etc/hosts.allow and /etc/hosts.deny, check if it was compiled with this support:
$ strings /usr/sbin/sshd | egrep 'hosts\.(allow|deny)' /etc/hosts.allow /etc/hosts.deny
If the egrep output is empty, TCP-wrappers support is not present. Download OpenSSH from http://www.openssh.com (or use your vendor’s source RPM) and rebuild it:
$ ./configure --with-libwrap ...other desired options...
$ make
# make installSee Also
sshd(8), hosts_access(5).
Get Linux Security Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
