Blocked direct root SSH access in Linux

ashsysad used Ask the Experts™

I have a requirement to block the direct root SSH access from all the hosts EXCEPT one server. Is it possible ?  I know that we can block the direct root access by setting the directive "PermitRootLogin" to "no" in /etc/ssh/sshd_config. But how can i create exceptional in it. Please let me know.

Thanks !
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

I don't know if there is a way for SSH with exception, But I can suggest you to configure ip tables and allow SSH traffic from particular IPs only.
What about running 2 separate sshd servers on the host? say one as normal, with PermitRootLogin set to no running on port 22.
Have a second ssh server, running on a different port, say 2222 with iptables only allowing connectivity from your specified host and PermitRootLogin set to yes for that instance of sshd.


Could you please give me the syntax for allowing SSH access only for a particular IP ?  I'm wondering how can I run 2 seperate SSHD service on a single host. Let me give a search for it.
Acronis in Gartner 2019 MQ for datacenter backup

It is an honor to be featured in Gartner 2019 Magic Quadrant for Datacenter Backup and Recovery Solutions. Gartner’s MQ sets a high standard and earning a place on their grid is a great affirmation that Acronis is delivering on our mission to protect all data, apps, and systems.

Most Valuable Expert 2015

Why do you even need the exception? In normal circumstances that shouldn't be necessary or allowed. You can still use sudo or su from the logged on user to get root privileges.
Here's an example of allowing ssh from a single host:

# Allow incoming ssh only from IP
iptables -A INPUT -p tcp -s -d $SERVER_IP  --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT

As for running a second instance, I'd probably download the source for openssh and install it in /usr/local/bin, with it's config file in /usr/local/etc and configure that one with a different port - but there may be a more elegant solution

I would suggest to configure what You want in sshd_config using the AllowUsers directive. With this directive you specify the final set of users that are allowed to connect to SSH, but You can also control access based on ip addresses and hostnames. For example:

AllowUsers root@ pawwa

would mean that root can connect only from host and pawwa could connect from anywhere. Other users could not connect to SSH in this example. Of course, You need to PermitRootLogin yes.

But, yeah as rindi has pointed out, You should connect to SSH as regular user, and then use su or sudo to gain higher privileges.


@rindi, I want to run certain scripts as root from a remote server. Per my company policy, the direct root access to all critical servers should be denied. Thats why i need an expection allowing just one server.

@Liddler, I will try your solution and update you.

To run the certian scripts you can use SUDO access. It should work.

Or, BTW, You can use authorized_keys file in /root/.ssh/ directory and add a "from=host" in that file, for example:

from="" ssh-dss AAAAB3NzaC1kc3MA... My OpenSSH key

if you are using PubKeyAuthentiication yes... But if it is scripts that You want to run, the most secure way will be by using sudo.
In the SSHD configuration file (usually /etc/ssh/sshd_config):
PermitRootLogin no

Open in new window

Be sure to restart the SSH server after making the change.
edit /etc/hosts.allow with the next code:

sshd: your_allowed_ip

and /etc/hosts.deny with:
sshd: all

that should work


Running an additional SSH service with different port seems to be the most appropriate solution and it worked for me. Thanks !

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial