All Linux HowTo's Security HowTo's

Limiting access by IP to SSH on CentOS7 and RHEL7

This article explains how to use TCPWrappers to control which hosts can connect to a server using SSH. The two files we’ll be using are “/etc/hosts.allow” and “/etc/hosts.deny”. As the names imply, we’re controlling which “hosts” can access the server, not which users.

Find out more here: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/3/html/Reference_Guide/s1-tcpwrappers-access.html

Why not use IP Tables to do this? We get logging to “/var/log/secure” indicating there’s been an attempt. 

TIP: When testing, use a server that you have console access to just incase you kick yourself off. Also note that only new connections are effected, existing sessions remain functional.

The first file to edit is the “/etc/hosts.allow”. Here we’re allowing SSH connectivity from “10.1.2.3”.

sshd: 10.1.2.3

Now we edit the “/etc/hosts.deny” file. Here we’re denying connectivity from everywhere.

sshd: All

The “/etc/hosts.allow” file is read first.

You don’t need to restart anything for this to take effect.