A quick and easy way to lock down SSH

July 24, 2020 by No Comments

Anxious to get your Linux server SSH access locked down? Jack Wallen shows you one more step you can take–one that will only take seconds.

Cyber security concept. Encryption.

Image: iStockphoto/metamorworks

If you’re a Linux administration, chances are really good you spend a lot of time logging in to remote machines with SSH. It’s also very likely that you’ve taken numerous steps to lock down SSH access to those remotes servers. In fact, you’re probably using SSH key authentication and denyhosts. Together, those two solutions go a very long way to hardening access to your remote Linux servers.

But, there’s one more step you can take, one that’s so easy and obvious most admins forget it’s even an option. This particular step doesn’t require any third-party software and can be taken care of in seconds.

Curious? Let’s do this.

SEE: SSL Certificate Best Practices Policy (TechRepublic Premium)

What you’ll need

You should also have access to the remote server’s console, in case something goes wrong and you lock yourself out of the server, but this is the case anytime you monkey with SSH.

How to allow a client IP address

The first thing we have to do is allow the IP address of any client you use into the remote server with SSH. Once you have a list of the IP addresses, you can add them to /etc/hosts.allow. To do this, issue the command (on the remote server):

sudo nano /etc/hosts.allow

At the bottom of that file, add the following:

sshd: IP

Where IP is the IP address of the remote client that needs access to the server. If you have a number of IP addresses, or IP address ranges, you could enter them like so:

sshd: 10.83.33.77/32, 10.63.152.9/32, 10.12.100.11/28, 10.82.192.0/28

Or like so:

sshd : 192.168.1.0/24
sshd : 127.0.0.1
sshd : [::1]

Note above: We’ve even included the loopback address for the server.

Save and close the file.

How to block all other addresses

Now that we’ve allowed an IP address or list of addresses, it’s time to block all other addresses. One thing to keep in mind is that the Linux system will first look at hosts.allow (from top to bottom) followed by hosts.deny (from top to bottom). So an SSH connection attempt from an IP address in hosts.allow will be allowed through, even though hosts.deny clearly blocks ALL.

So, to block all other IP addresses, open the necessary file with the command:

sudo nano /etc/hosts.deny

At the bottom of that file, add the following:

sshd: ALL

Save and close the file.

At this point, any client listed in hosts.allow will be allowed through (via SSH) and any client not listed will be denied. There’s no need to restart the SSH daemon to make this work.

With the combination of SSH key authentication, denyhosts, and hosts.allow/deny, secure shell access to your Linux servers will be about as tight as you can get it. 

Also see

Leave a Comment

Your email address will not be published. Required fields are marked *