Limiting SSH by user and address

Quags

Administrator
Staff member
SSH has built in features that can create an access list of what user's and/or what IPs can access SSH for higher security. This is done by editing the sshd_config file, for example on CentOS servers it is at /etc/ssh/sshd_config

The limiting is done with the AllowUsers option. AllowUsers can be specified multiple times, or take multiple arguments.

Say your IP address is 10.10.10.1 and is static. You can limit logins to just your IP using

Code:
AllowUsers root@10.10.10.1
This allows the user root from ip 10.10.10.1 only. All other IPs are denied. You need to manually specify each user. So for two user's you can have

Code:
AllowUsers root@10.10.10.1 username@10.10.10.2
This allows root from 10.10.10.1 and username from 10.10.10.2

You can specify some logins with IPs and others with out ips like

Code:
AllowUsers root@10.10.10.1 username
In this case username can log in from any IP but root only from 10.10.10.1

The config can be on two separate lines as well, like

Code:
AllowUsers root@10.10.10.1
AllowUsers username@10.10.10.2
After these changes SSH must be restart. On CentOS this can be done with service restart sshd
 
Top