up vote 5 down vote favorite
3

How do we allow certain set of Private IPs to enter through SSH login(RSA key pair) into Linux Server?

share|improve this question
    
Firewall rules are a normal course of action to take – Raman Sailopal 6 hours ago
    
firewall or /etc/hosts.allow if ssh compile w/ TCP wrappers or /etc/ssh/sshd_config file rules. – Rui F Ribeiro 5 hours ago
up vote 9 down vote

You can limit which hosts can connect by configuring TCP wrappers or filtering network traffic (firewalling) using iptables. If you want to use different authentication methods depending on the client IP address, see the other answer.

Firewall using IPTABLES

Iptables rules are evaluated in order, until first match.

To allow traffic from 192.168.0.0/24 network and otherwise drop the traffic (to port 22). The DROP rule is not required if your iptables default policy is configured to DROP.

iptables -A INPUT -p tcp --dport 22 --source 192.168.0.0/24 -j ACCEPT
iptables -A INPUT --dport 22 -j DROP

You can add more rules before the drop rule to match more networks/hosts. If you have a lot of networks or host addresses, you should use ipset module. There is also iprange module which allows using any arbitrary range of IP addresses.

Iptables are not persistent acress reboots. You need to configure some mechanism to restore iptables on boot.

Using TCP wrappers

You can also configure which hosts can connect using TCP wrappers. With TCP wrappers, in addition to IP addresses you can also use hostnames to write rules.

By default, deny all hosts.

/etc/hosts.deny:

sshd : ALL

Then list allowed hosts in hosts.allow. For example to allow network 192.168.0.0/24 and localhost.

/etc/hosts.allow:

sshd : 192.168.0.0/24
sshd : 127.0.0.1
sshd : [::1]
share|improve this answer
up vote 4 down vote

You can configure ssh daemon in sshd_config to use different authentication method depending on the client address/hostname.

If you only want to block other hosts from connecting, you should use iptables or TCP wrappers instead.

First remove default authentication methods: 

PasswordAuthentication no
PubkeyAuthentication no

Then add desired authentication methods after a Match Address in the end of the file. Placing Match in the end of the file is important, since all the configuration lines after it are placed inside the conditional block until the next Match line. For example:

Match Address 127.0.0.*
    PubkeyAuthentication yes

Other clients might still be able to connect, but logins will fail due no available authentication method. All match arguments and allowed conditional configuration options are documented in the man page.

share|improve this answer

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.