Securing SSH access is a crucial step in hardening your Linux servers. In our previous discussion, we highlighted the importance of SSH as a secure communication protocol and introduced the sshd_config file, the primary configuration point for the SSH daemon.

In this article, we'll take it a step further by exploring methods to restrict SSH access to specific users and IP addresses. We'll cover three key techniques: TCP Wrappers, AllowUsers/AllowGroups directives, and IP restrictions within sshd_config. These methods provide layered security controls, helping ensure that only authorized users from designated sources can access your server.

Table of Contents

  1. What are TCP Wrappers?
  2. AllowUsers and AllowGroups Directives
  3. IP Restrictions in sshd_config
  4. Conclusion

What are TCP Wrappers?

TCP Wrappers are a host-based access control system that can restrict network services based on IP addresses or hostnames. Although considered legacy technology, TCP Wrappers may still be present on some systems and can serve as an additional layer of security. They operate using two configuration files:

  • /etc/hosts.allow: Specifies which hosts are permitted to access specific services.
  • /etc/hosts.deny: Specifies which hosts are denied access.

Example: Allowing a Specific IP

If you want to allow SSH access only from a specific IP address, such as 192.168.1.100, you can configure the following:

/etc/hosts.allow:

sshd: 192.168.1.100

This explicitly permits SSH connections from 192.168.1.100.

/etc/hosts.deny:

sshd: ALL

This denies SSH connections from all other sources.

Note: While TCP Wrappers provide basic access control, modern systems often rely on firewalls for similar functionality. For example, with firewalld, you can achieve the same restriction:

firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.1.100" service name="ssh" accept'
firewall-cmd --reload

Using firewalls is generally preferred for flexibility and scalability, but knowing TCP Wrappers can be helpful in environments where they are still in use.

AllowUsers and AllowGroups Directives

The sshd_config file governs SSH behavior through various directives, two of which—AllowUsers and AllowGroups—are particularly useful for access control.

  • AllowUsers: Specifies which user accounts are allowed to access the server via SSH.
  • AllowGroups: Specifies which user groups are allowed SSH access.

If both directives are used, a user must meet both conditions—they must be listed in AllowUsers and belong to one of the groups specified in AllowGroups—to successfully connect via SSH.

Example: Enterprise Group Control

In an enterprise environment, it's common to create a dedicated SSH access group, such as ssh_users, and use AllowGroups to control access:

AllowGroups ssh_users

If your Linux server is integrated with Active Directory, you can manage SSH access centrally by creating an Active Directory group and referencing it in AllowGroups. This way, only users in that AD group can SSH into the server, simplifying user management.

IP Restrictions in sshd_config

For more granular control, you can combine user-based restrictions with IP-based conditions directly in the sshd_config file. This is where the Match Address block comes into play.

The Match directive applies configuration settings only when specific conditions are met, such as a user's IP address.

Example: Restricting a User by IP

To allow only the user richard to SSH from the IP 192.168.1.100, add the following to sshd_config:

Match Address 192.168.1.100
    AllowUsers richard

This ensures that only richard can SSH from that specific IP. All other users or connections from other IPs will be denied.

Alternatively, SSH supports inline IP restrictions within the AllowUsers directive:

AllowUsers [email protected]

However, using the Match Address block is generally preferred for reliability and clarity, especially when managing complex configurations.

Caution: When working with conditional blocks in sshd_config, be careful to structure your directives correctly. Misconfiguration can lock you out of SSH access!

Conclusion

Securing SSH access is a multi-layered process that goes beyond simply setting up keys or passwords. By using TCP Wrappers, AllowUsers/AllowGroups directives, and IP restrictions, you can significantly reduce the attack surface of your Linux server.

While TCP Wrappers offer basic, legacy controls, modern solutions like firewalld provide more robust options. Combining user and group-based restrictions with IP-level controls in sshd_config gives you the flexibility to tailor access precisely to your environment's needs.

Remember, defense in depth is key. Use these techniques together to build a solid security posture for your SSH services.

If you have questions, suggestions, or topics you’d love to see covered, drop a comment below. Let’s make robotics not just exciting and innovative—but secure as well.

For more content like this, tools, and walkthroughs, visit my site at Sebos Technology.