Limit SSH access to specific clients by IP address

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP












16















How do we allow certain set of Private IPs to enter through SSH login(RSA key pair) into Linux Server?










share|improve this question



















  • 3





    Firewall rules are a normal course of action to take

    – Raman Sailopal
    Nov 22 '17 at 10:16






  • 2





    firewall or /etc/hosts.allow if ssh compile w/ TCP wrappers or /etc/ssh/sshd_config file rules.

    – Rui F Ribeiro
    Nov 22 '17 at 10:41












  • more than one way to do, refer to linux.die.net/man/5/sshd_config which explains everything in /etc/ssh/sshd_config

    – ron
    Dec 20 '18 at 21:54















16















How do we allow certain set of Private IPs to enter through SSH login(RSA key pair) into Linux Server?










share|improve this question



















  • 3





    Firewall rules are a normal course of action to take

    – Raman Sailopal
    Nov 22 '17 at 10:16






  • 2





    firewall or /etc/hosts.allow if ssh compile w/ TCP wrappers or /etc/ssh/sshd_config file rules.

    – Rui F Ribeiro
    Nov 22 '17 at 10:41












  • more than one way to do, refer to linux.die.net/man/5/sshd_config which explains everything in /etc/ssh/sshd_config

    – ron
    Dec 20 '18 at 21:54













16












16








16


10






How do we allow certain set of Private IPs to enter through SSH login(RSA key pair) into Linux Server?










share|improve this question
















How do we allow certain set of Private IPs to enter through SSH login(RSA key pair) into Linux Server?







linux firewall sshd






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Nov 22 '17 at 12:26









sebasth

8,24132046




8,24132046










asked Nov 22 '17 at 10:08









Ranjan KumarRanjan Kumar

144227




144227







  • 3





    Firewall rules are a normal course of action to take

    – Raman Sailopal
    Nov 22 '17 at 10:16






  • 2





    firewall or /etc/hosts.allow if ssh compile w/ TCP wrappers or /etc/ssh/sshd_config file rules.

    – Rui F Ribeiro
    Nov 22 '17 at 10:41












  • more than one way to do, refer to linux.die.net/man/5/sshd_config which explains everything in /etc/ssh/sshd_config

    – ron
    Dec 20 '18 at 21:54












  • 3





    Firewall rules are a normal course of action to take

    – Raman Sailopal
    Nov 22 '17 at 10:16






  • 2





    firewall or /etc/hosts.allow if ssh compile w/ TCP wrappers or /etc/ssh/sshd_config file rules.

    – Rui F Ribeiro
    Nov 22 '17 at 10:41












  • more than one way to do, refer to linux.die.net/man/5/sshd_config which explains everything in /etc/ssh/sshd_config

    – ron
    Dec 20 '18 at 21:54







3




3





Firewall rules are a normal course of action to take

– Raman Sailopal
Nov 22 '17 at 10:16





Firewall rules are a normal course of action to take

– Raman Sailopal
Nov 22 '17 at 10:16




2




2





firewall or /etc/hosts.allow if ssh compile w/ TCP wrappers or /etc/ssh/sshd_config file rules.

– Rui F Ribeiro
Nov 22 '17 at 10:41






firewall or /etc/hosts.allow if ssh compile w/ TCP wrappers or /etc/ssh/sshd_config file rules.

– Rui F Ribeiro
Nov 22 '17 at 10:41














more than one way to do, refer to linux.die.net/man/5/sshd_config which explains everything in /etc/ssh/sshd_config

– ron
Dec 20 '18 at 21:54





more than one way to do, refer to linux.die.net/man/5/sshd_config which explains everything in /etc/ssh/sshd_config

– ron
Dec 20 '18 at 21:54










2 Answers
2






active

oldest

votes


















27














You can limit which hosts can connect by configuring TCP wrappers or filtering network traffic (firewalling) using iptables. If you want to use different authentication methods depending on the client IP address, configure SSH daemon instead (option 3).



Option 1: Filtering with IPTABLES



Iptables rules are evaluated in order, until first match.



For example, to allow traffic from 192.168.0.0/24 network and otherwise drop the traffic (to port 22). The DROP rule is not required if your iptables default policy is configured to DROP.



iptables -A INPUT -p tcp --dport 22 --source 192.168.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j DROP


You can add more rules before the drop rule to match more networks/hosts. If you have a lot of networks or host addresses, you should use ipset module. There is also iprange module which allows using any arbitrary range of IP addresses.



Iptables are not persistent across reboots. You need to configure some mechanism to restore iptables on boot.



iptables apply only to IPv4 traffic. Systems which have ssh listening to IPv6 address the necessary configuration can be done with ip6tables.



Option 2: Using TCP wrappers



You can also configure which hosts can connect using TCP wrappers. With TCP wrappers, in addition to IP addresses you can also use hostnames in rules.



By default, deny all hosts.



/etc/hosts.deny:



sshd : ALL


Then list allowed hosts in hosts.allow. For example to allow network 192.168.0.0/24 and localhost.



/etc/hosts.allow:



sshd : 192.168.0.0/24
sshd : 127.0.0.1
sshd : [::1]


Option 3: SSH daemon configuration



You can configure ssh daemon in sshd_config to use different authentication method depending on the client address/hostname. If you only want to block other hosts from connecting, you should use iptables or TCP wrappers instead.



First remove default authentication methods:



PasswordAuthentication no
PubkeyAuthentication no


Then add desired authentication methods after a Match Address in the end of the file. Placing Match in the end of the file is important, since all the configuration lines after it are placed inside the conditional block until the next Match line. For example:



Match Address 127.0.0.*
PubkeyAuthentication yes


Other clients are still able to connect, but logins will fail because there is no available authentication methods.



Match arguments and allowed conditional configuration options are documented in sshd_config man page. Match patterns are documented in ssh_config man page.






share|improve this answer

























  • What about adding a ListenAddress directive in /etc/ssh/sshd_config ?

    – jerome
    Nov 27 '17 at 18:54











  • It is possible in specific situations (for example listening to private network address), depending on your network configuration and which hosts you want to allow.

    – sebasth
    Nov 27 '17 at 19:17






  • 2





    Additionally, ,sshd_config can set filterings with AlowUsers directive, and also, the authorized_keys can be set with 'from IP or subnet" to filter also.

    – tonioc
    Jun 11 '18 at 17:38











  • @tonioc Great solution for my use case. Please expand this suggestion into an answer.

    – simlev
    Dec 20 '18 at 11:28











  • if you have a NIC with 4 ports each going to a different network, then the default #ListenAddress :: in /etc/ssh/sshd_config will tell the SSH server to accept incoming from any of those networks. Otherwise do ListenAddress <ip address> where <ip address> is that of those NIC ports you want allowed. My eth0is 192.168.3.4 therefore ListenAddress 192.168.3.4 results in SSH only working on network 192.168.3.4 which is on eth0; and eth1 eth2 eth3 is denied.

    – ron
    Dec 20 '18 at 21:49



















2














Here some additional configuration for SSH daemon to extend previous answer:




  • Add user filtering with AllowUsers option in sshd_config file:



    AllowUsers johndoe@192.168.1.* admin2@192.168.1.* otherid1 otherid2


    This allows johndoe and admin2 only from 192.168.1.* addresses and otherid1, otherid2 from anywhere.




  • Restrict a ssh key or ca-based key to a set of addresses in .ssh/authorized_keys file of a given user's home directory:



    from="192.168.1.*,192.168.2.*" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABA...etc...mnMo7n1DD useralias


    In this example, the public key for useralias will be effective only from given addresses.







share|improve this answer
























    Your Answer








    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "106"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: false,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    imageUploader:
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    ,
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );













    draft saved

    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f406245%2flimit-ssh-access-to-specific-clients-by-ip-address%23new-answer', 'question_page');

    );

    Post as a guest















    Required, but never shown

























    2 Answers
    2






    active

    oldest

    votes








    2 Answers
    2






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    27














    You can limit which hosts can connect by configuring TCP wrappers or filtering network traffic (firewalling) using iptables. If you want to use different authentication methods depending on the client IP address, configure SSH daemon instead (option 3).



    Option 1: Filtering with IPTABLES



    Iptables rules are evaluated in order, until first match.



    For example, to allow traffic from 192.168.0.0/24 network and otherwise drop the traffic (to port 22). The DROP rule is not required if your iptables default policy is configured to DROP.



    iptables -A INPUT -p tcp --dport 22 --source 192.168.0.0/24 -j ACCEPT
    iptables -A INPUT -p tcp --dport 22 -j DROP


    You can add more rules before the drop rule to match more networks/hosts. If you have a lot of networks or host addresses, you should use ipset module. There is also iprange module which allows using any arbitrary range of IP addresses.



    Iptables are not persistent across reboots. You need to configure some mechanism to restore iptables on boot.



    iptables apply only to IPv4 traffic. Systems which have ssh listening to IPv6 address the necessary configuration can be done with ip6tables.



    Option 2: Using TCP wrappers



    You can also configure which hosts can connect using TCP wrappers. With TCP wrappers, in addition to IP addresses you can also use hostnames in rules.



    By default, deny all hosts.



    /etc/hosts.deny:



    sshd : ALL


    Then list allowed hosts in hosts.allow. For example to allow network 192.168.0.0/24 and localhost.



    /etc/hosts.allow:



    sshd : 192.168.0.0/24
    sshd : 127.0.0.1
    sshd : [::1]


    Option 3: SSH daemon configuration



    You can configure ssh daemon in sshd_config to use different authentication method depending on the client address/hostname. If you only want to block other hosts from connecting, you should use iptables or TCP wrappers instead.



    First remove default authentication methods:



    PasswordAuthentication no
    PubkeyAuthentication no


    Then add desired authentication methods after a Match Address in the end of the file. Placing Match in the end of the file is important, since all the configuration lines after it are placed inside the conditional block until the next Match line. For example:



    Match Address 127.0.0.*
    PubkeyAuthentication yes


    Other clients are still able to connect, but logins will fail because there is no available authentication methods.



    Match arguments and allowed conditional configuration options are documented in sshd_config man page. Match patterns are documented in ssh_config man page.






    share|improve this answer

























    • What about adding a ListenAddress directive in /etc/ssh/sshd_config ?

      – jerome
      Nov 27 '17 at 18:54











    • It is possible in specific situations (for example listening to private network address), depending on your network configuration and which hosts you want to allow.

      – sebasth
      Nov 27 '17 at 19:17






    • 2





      Additionally, ,sshd_config can set filterings with AlowUsers directive, and also, the authorized_keys can be set with 'from IP or subnet" to filter also.

      – tonioc
      Jun 11 '18 at 17:38











    • @tonioc Great solution for my use case. Please expand this suggestion into an answer.

      – simlev
      Dec 20 '18 at 11:28











    • if you have a NIC with 4 ports each going to a different network, then the default #ListenAddress :: in /etc/ssh/sshd_config will tell the SSH server to accept incoming from any of those networks. Otherwise do ListenAddress <ip address> where <ip address> is that of those NIC ports you want allowed. My eth0is 192.168.3.4 therefore ListenAddress 192.168.3.4 results in SSH only working on network 192.168.3.4 which is on eth0; and eth1 eth2 eth3 is denied.

      – ron
      Dec 20 '18 at 21:49
















    27














    You can limit which hosts can connect by configuring TCP wrappers or filtering network traffic (firewalling) using iptables. If you want to use different authentication methods depending on the client IP address, configure SSH daemon instead (option 3).



    Option 1: Filtering with IPTABLES



    Iptables rules are evaluated in order, until first match.



    For example, to allow traffic from 192.168.0.0/24 network and otherwise drop the traffic (to port 22). The DROP rule is not required if your iptables default policy is configured to DROP.



    iptables -A INPUT -p tcp --dport 22 --source 192.168.0.0/24 -j ACCEPT
    iptables -A INPUT -p tcp --dport 22 -j DROP


    You can add more rules before the drop rule to match more networks/hosts. If you have a lot of networks or host addresses, you should use ipset module. There is also iprange module which allows using any arbitrary range of IP addresses.



    Iptables are not persistent across reboots. You need to configure some mechanism to restore iptables on boot.



    iptables apply only to IPv4 traffic. Systems which have ssh listening to IPv6 address the necessary configuration can be done with ip6tables.



    Option 2: Using TCP wrappers



    You can also configure which hosts can connect using TCP wrappers. With TCP wrappers, in addition to IP addresses you can also use hostnames in rules.



    By default, deny all hosts.



    /etc/hosts.deny:



    sshd : ALL


    Then list allowed hosts in hosts.allow. For example to allow network 192.168.0.0/24 and localhost.



    /etc/hosts.allow:



    sshd : 192.168.0.0/24
    sshd : 127.0.0.1
    sshd : [::1]


    Option 3: SSH daemon configuration



    You can configure ssh daemon in sshd_config to use different authentication method depending on the client address/hostname. If you only want to block other hosts from connecting, you should use iptables or TCP wrappers instead.



    First remove default authentication methods:



    PasswordAuthentication no
    PubkeyAuthentication no


    Then add desired authentication methods after a Match Address in the end of the file. Placing Match in the end of the file is important, since all the configuration lines after it are placed inside the conditional block until the next Match line. For example:



    Match Address 127.0.0.*
    PubkeyAuthentication yes


    Other clients are still able to connect, but logins will fail because there is no available authentication methods.



    Match arguments and allowed conditional configuration options are documented in sshd_config man page. Match patterns are documented in ssh_config man page.






    share|improve this answer

























    • What about adding a ListenAddress directive in /etc/ssh/sshd_config ?

      – jerome
      Nov 27 '17 at 18:54











    • It is possible in specific situations (for example listening to private network address), depending on your network configuration and which hosts you want to allow.

      – sebasth
      Nov 27 '17 at 19:17






    • 2





      Additionally, ,sshd_config can set filterings with AlowUsers directive, and also, the authorized_keys can be set with 'from IP or subnet" to filter also.

      – tonioc
      Jun 11 '18 at 17:38











    • @tonioc Great solution for my use case. Please expand this suggestion into an answer.

      – simlev
      Dec 20 '18 at 11:28











    • if you have a NIC with 4 ports each going to a different network, then the default #ListenAddress :: in /etc/ssh/sshd_config will tell the SSH server to accept incoming from any of those networks. Otherwise do ListenAddress <ip address> where <ip address> is that of those NIC ports you want allowed. My eth0is 192.168.3.4 therefore ListenAddress 192.168.3.4 results in SSH only working on network 192.168.3.4 which is on eth0; and eth1 eth2 eth3 is denied.

      – ron
      Dec 20 '18 at 21:49














    27












    27








    27







    You can limit which hosts can connect by configuring TCP wrappers or filtering network traffic (firewalling) using iptables. If you want to use different authentication methods depending on the client IP address, configure SSH daemon instead (option 3).



    Option 1: Filtering with IPTABLES



    Iptables rules are evaluated in order, until first match.



    For example, to allow traffic from 192.168.0.0/24 network and otherwise drop the traffic (to port 22). The DROP rule is not required if your iptables default policy is configured to DROP.



    iptables -A INPUT -p tcp --dport 22 --source 192.168.0.0/24 -j ACCEPT
    iptables -A INPUT -p tcp --dport 22 -j DROP


    You can add more rules before the drop rule to match more networks/hosts. If you have a lot of networks or host addresses, you should use ipset module. There is also iprange module which allows using any arbitrary range of IP addresses.



    Iptables are not persistent across reboots. You need to configure some mechanism to restore iptables on boot.



    iptables apply only to IPv4 traffic. Systems which have ssh listening to IPv6 address the necessary configuration can be done with ip6tables.



    Option 2: Using TCP wrappers



    You can also configure which hosts can connect using TCP wrappers. With TCP wrappers, in addition to IP addresses you can also use hostnames in rules.



    By default, deny all hosts.



    /etc/hosts.deny:



    sshd : ALL


    Then list allowed hosts in hosts.allow. For example to allow network 192.168.0.0/24 and localhost.



    /etc/hosts.allow:



    sshd : 192.168.0.0/24
    sshd : 127.0.0.1
    sshd : [::1]


    Option 3: SSH daemon configuration



    You can configure ssh daemon in sshd_config to use different authentication method depending on the client address/hostname. If you only want to block other hosts from connecting, you should use iptables or TCP wrappers instead.



    First remove default authentication methods:



    PasswordAuthentication no
    PubkeyAuthentication no


    Then add desired authentication methods after a Match Address in the end of the file. Placing Match in the end of the file is important, since all the configuration lines after it are placed inside the conditional block until the next Match line. For example:



    Match Address 127.0.0.*
    PubkeyAuthentication yes


    Other clients are still able to connect, but logins will fail because there is no available authentication methods.



    Match arguments and allowed conditional configuration options are documented in sshd_config man page. Match patterns are documented in ssh_config man page.






    share|improve this answer















    You can limit which hosts can connect by configuring TCP wrappers or filtering network traffic (firewalling) using iptables. If you want to use different authentication methods depending on the client IP address, configure SSH daemon instead (option 3).



    Option 1: Filtering with IPTABLES



    Iptables rules are evaluated in order, until first match.



    For example, to allow traffic from 192.168.0.0/24 network and otherwise drop the traffic (to port 22). The DROP rule is not required if your iptables default policy is configured to DROP.



    iptables -A INPUT -p tcp --dport 22 --source 192.168.0.0/24 -j ACCEPT
    iptables -A INPUT -p tcp --dport 22 -j DROP


    You can add more rules before the drop rule to match more networks/hosts. If you have a lot of networks or host addresses, you should use ipset module. There is also iprange module which allows using any arbitrary range of IP addresses.



    Iptables are not persistent across reboots. You need to configure some mechanism to restore iptables on boot.



    iptables apply only to IPv4 traffic. Systems which have ssh listening to IPv6 address the necessary configuration can be done with ip6tables.



    Option 2: Using TCP wrappers



    You can also configure which hosts can connect using TCP wrappers. With TCP wrappers, in addition to IP addresses you can also use hostnames in rules.



    By default, deny all hosts.



    /etc/hosts.deny:



    sshd : ALL


    Then list allowed hosts in hosts.allow. For example to allow network 192.168.0.0/24 and localhost.



    /etc/hosts.allow:



    sshd : 192.168.0.0/24
    sshd : 127.0.0.1
    sshd : [::1]


    Option 3: SSH daemon configuration



    You can configure ssh daemon in sshd_config to use different authentication method depending on the client address/hostname. If you only want to block other hosts from connecting, you should use iptables or TCP wrappers instead.



    First remove default authentication methods:



    PasswordAuthentication no
    PubkeyAuthentication no


    Then add desired authentication methods after a Match Address in the end of the file. Placing Match in the end of the file is important, since all the configuration lines after it are placed inside the conditional block until the next Match line. For example:



    Match Address 127.0.0.*
    PubkeyAuthentication yes


    Other clients are still able to connect, but logins will fail because there is no available authentication methods.



    Match arguments and allowed conditional configuration options are documented in sshd_config man page. Match patterns are documented in ssh_config man page.







    share|improve this answer














    share|improve this answer



    share|improve this answer








    edited Jun 11 '18 at 22:04

























    answered Nov 22 '17 at 11:22









    sebasthsebasth

    8,24132046




    8,24132046












    • What about adding a ListenAddress directive in /etc/ssh/sshd_config ?

      – jerome
      Nov 27 '17 at 18:54











    • It is possible in specific situations (for example listening to private network address), depending on your network configuration and which hosts you want to allow.

      – sebasth
      Nov 27 '17 at 19:17






    • 2





      Additionally, ,sshd_config can set filterings with AlowUsers directive, and also, the authorized_keys can be set with 'from IP or subnet" to filter also.

      – tonioc
      Jun 11 '18 at 17:38











    • @tonioc Great solution for my use case. Please expand this suggestion into an answer.

      – simlev
      Dec 20 '18 at 11:28











    • if you have a NIC with 4 ports each going to a different network, then the default #ListenAddress :: in /etc/ssh/sshd_config will tell the SSH server to accept incoming from any of those networks. Otherwise do ListenAddress <ip address> where <ip address> is that of those NIC ports you want allowed. My eth0is 192.168.3.4 therefore ListenAddress 192.168.3.4 results in SSH only working on network 192.168.3.4 which is on eth0; and eth1 eth2 eth3 is denied.

      – ron
      Dec 20 '18 at 21:49


















    • What about adding a ListenAddress directive in /etc/ssh/sshd_config ?

      – jerome
      Nov 27 '17 at 18:54











    • It is possible in specific situations (for example listening to private network address), depending on your network configuration and which hosts you want to allow.

      – sebasth
      Nov 27 '17 at 19:17






    • 2





      Additionally, ,sshd_config can set filterings with AlowUsers directive, and also, the authorized_keys can be set with 'from IP or subnet" to filter also.

      – tonioc
      Jun 11 '18 at 17:38











    • @tonioc Great solution for my use case. Please expand this suggestion into an answer.

      – simlev
      Dec 20 '18 at 11:28











    • if you have a NIC with 4 ports each going to a different network, then the default #ListenAddress :: in /etc/ssh/sshd_config will tell the SSH server to accept incoming from any of those networks. Otherwise do ListenAddress <ip address> where <ip address> is that of those NIC ports you want allowed. My eth0is 192.168.3.4 therefore ListenAddress 192.168.3.4 results in SSH only working on network 192.168.3.4 which is on eth0; and eth1 eth2 eth3 is denied.

      – ron
      Dec 20 '18 at 21:49

















    What about adding a ListenAddress directive in /etc/ssh/sshd_config ?

    – jerome
    Nov 27 '17 at 18:54





    What about adding a ListenAddress directive in /etc/ssh/sshd_config ?

    – jerome
    Nov 27 '17 at 18:54













    It is possible in specific situations (for example listening to private network address), depending on your network configuration and which hosts you want to allow.

    – sebasth
    Nov 27 '17 at 19:17





    It is possible in specific situations (for example listening to private network address), depending on your network configuration and which hosts you want to allow.

    – sebasth
    Nov 27 '17 at 19:17




    2




    2





    Additionally, ,sshd_config can set filterings with AlowUsers directive, and also, the authorized_keys can be set with 'from IP or subnet" to filter also.

    – tonioc
    Jun 11 '18 at 17:38





    Additionally, ,sshd_config can set filterings with AlowUsers directive, and also, the authorized_keys can be set with 'from IP or subnet" to filter also.

    – tonioc
    Jun 11 '18 at 17:38













    @tonioc Great solution for my use case. Please expand this suggestion into an answer.

    – simlev
    Dec 20 '18 at 11:28





    @tonioc Great solution for my use case. Please expand this suggestion into an answer.

    – simlev
    Dec 20 '18 at 11:28













    if you have a NIC with 4 ports each going to a different network, then the default #ListenAddress :: in /etc/ssh/sshd_config will tell the SSH server to accept incoming from any of those networks. Otherwise do ListenAddress <ip address> where <ip address> is that of those NIC ports you want allowed. My eth0is 192.168.3.4 therefore ListenAddress 192.168.3.4 results in SSH only working on network 192.168.3.4 which is on eth0; and eth1 eth2 eth3 is denied.

    – ron
    Dec 20 '18 at 21:49






    if you have a NIC with 4 ports each going to a different network, then the default #ListenAddress :: in /etc/ssh/sshd_config will tell the SSH server to accept incoming from any of those networks. Otherwise do ListenAddress <ip address> where <ip address> is that of those NIC ports you want allowed. My eth0is 192.168.3.4 therefore ListenAddress 192.168.3.4 results in SSH only working on network 192.168.3.4 which is on eth0; and eth1 eth2 eth3 is denied.

    – ron
    Dec 20 '18 at 21:49














    2














    Here some additional configuration for SSH daemon to extend previous answer:




    • Add user filtering with AllowUsers option in sshd_config file:



      AllowUsers johndoe@192.168.1.* admin2@192.168.1.* otherid1 otherid2


      This allows johndoe and admin2 only from 192.168.1.* addresses and otherid1, otherid2 from anywhere.




    • Restrict a ssh key or ca-based key to a set of addresses in .ssh/authorized_keys file of a given user's home directory:



      from="192.168.1.*,192.168.2.*" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABA...etc...mnMo7n1DD useralias


      In this example, the public key for useralias will be effective only from given addresses.







    share|improve this answer





























      2














      Here some additional configuration for SSH daemon to extend previous answer:




      • Add user filtering with AllowUsers option in sshd_config file:



        AllowUsers johndoe@192.168.1.* admin2@192.168.1.* otherid1 otherid2


        This allows johndoe and admin2 only from 192.168.1.* addresses and otherid1, otherid2 from anywhere.




      • Restrict a ssh key or ca-based key to a set of addresses in .ssh/authorized_keys file of a given user's home directory:



        from="192.168.1.*,192.168.2.*" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABA...etc...mnMo7n1DD useralias


        In this example, the public key for useralias will be effective only from given addresses.







      share|improve this answer



























        2












        2








        2







        Here some additional configuration for SSH daemon to extend previous answer:




        • Add user filtering with AllowUsers option in sshd_config file:



          AllowUsers johndoe@192.168.1.* admin2@192.168.1.* otherid1 otherid2


          This allows johndoe and admin2 only from 192.168.1.* addresses and otherid1, otherid2 from anywhere.




        • Restrict a ssh key or ca-based key to a set of addresses in .ssh/authorized_keys file of a given user's home directory:



          from="192.168.1.*,192.168.2.*" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABA...etc...mnMo7n1DD useralias


          In this example, the public key for useralias will be effective only from given addresses.







        share|improve this answer















        Here some additional configuration for SSH daemon to extend previous answer:




        • Add user filtering with AllowUsers option in sshd_config file:



          AllowUsers johndoe@192.168.1.* admin2@192.168.1.* otherid1 otherid2


          This allows johndoe and admin2 only from 192.168.1.* addresses and otherid1, otherid2 from anywhere.




        • Restrict a ssh key or ca-based key to a set of addresses in .ssh/authorized_keys file of a given user's home directory:



          from="192.168.1.*,192.168.2.*" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABA...etc...mnMo7n1DD useralias


          In this example, the public key for useralias will be effective only from given addresses.








        share|improve this answer














        share|improve this answer



        share|improve this answer








        edited Dec 21 '18 at 11:23

























        answered Dec 20 '18 at 13:03









        tonioctonioc

        1,20968




        1,20968



























            draft saved

            draft discarded
















































            Thanks for contributing an answer to Unix & Linux Stack Exchange!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid


            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.

            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f406245%2flimit-ssh-access-to-specific-clients-by-ip-address%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown






            Popular posts from this blog

            How to check contact read email or not when send email to Individual?

            Displaying single band from multi-band raster using QGIS

            How many registers does an x86_64 CPU actually have?