Allow access to SSH for certain IPs

Hi,

what is the best way to deny access to ssh for every body except certain IPs. Looking for a way that's the easiest to configure, like editing a single file

Can I use iptables and put all IPs in a file? or hosts.allow? How do I deny access for every body?
DennieAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

legolasthehansyCommented:
On /etc/hosts.deny

sshd: ALL EXCEPT 192.168.0.2

The above denies all except 192.168.0.2. You don't need a restart as the settings are read once you save the file.
0
DennieAuthor Commented:
what if I want to add 5 more IPs?
0
legolasthehansyCommented:
sshd: ALL EXCEPT 192.168.0.2, 192.168.0.3, 192.168.0.4 etc..

Or

sshd: ALL EXCEPT 192.168.0.1/255.255.255.0
to exclude the 192.168.0.1 network
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
IT Pros Agree: AI and Machine Learning Key

We’d all like to think our company’s data is well protected, but when you ask IT professionals they admit the data probably is not as safe as it could be.

1ly4meCommented:
For TCP wrappers,
/etc/hosts.deny
sshd : all except 192.168.0.0/24

This will only allow network 192.168.0.0 to access SSH

For IPtables.
#iptables -I INPUT -p tcp ! -s 192.168.0.0/24 --dport=22 -j REJECT
0
rickygmCommented:
Hi, I make by means of firewall or iptables

in shorewall like this

ACCEPT          net:XXX.XXX.XXX.XXX   $FW                   tcp     ssh

iptables other example

iptables -A INPUT -p tcp -s 192.168.0.0/24 --dport 22 -j ACCEPT

http://wiki.centos.org/HowTos/Network/IPTables

regardss
0
senseifedonCommented:
Hi;
iptables -I INPUT -p tcp --dport 22 -s 123.123.123.123 -j ACCEPT
iptables -I INPUT -p tcp --dport 22 -j DROP

Open in new window


123.123.123.123 should been your exception ip.

Good luck. Or you can use fail2ban. It's allow you to ban ip address after some (you can arrange value) unauthorized tries.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux

From novice to tech pro — start learning today.