Limit SSH per IP and user

From CPanelDirect
Jump to: navigation, search

Under Construction! Please Visit Reserve Page. Page Will Be Available Shortly

You can limit ssh using /etc/hosts.deny and /etc/hosts.allow (tcpwrappers). This article will not go into that. Instead this will deal with the AllowUsers feature in SSH that will limit access per user, and if desired per ip.

To enable this edit /etc/ssh/sshd_config (default location on centos servers, this may be different for you).

At the very bottom you can add

AllowUsers root

This will limit access to only user root. All other login attempts will fail. This will stop the chance of a brute force attach getting into your server as any user but root. You can also add an IP address like this:

AllowUsers root@4.2.2.2

Now only user root from the IP address 4.2.2.2 can access SSH.

To all multiple users place them on the same line.

AllowUsers root@4.2.2.2 admin@4.2.2.3 john

This above setting will allow user root from 4.2.2.2 user admin from 4.2.2.3 and user john from anywhere.

You must restart SSH for the changes to take place. On centos servers that is /etc/init.d/sshd restart

AllowGroups

There is also the AllowGroups function. For instance you can set AllowGroups Wheel which will allow only root and any one added into the wheel group for su

Additional SSH Security

Generally I'd also set PermitRootLogin to without-password which will allow root login only with an SSH key or to no to stop SSH as root.