How to control SSH access by IP address

Restricting SSH access by source IP address reduces the attack surface of Internet-facing Linux servers and keeps administrative entry points limited to trusted networks. Instead of accepting logins from any address, the daemon only entertains connections from ranges that are explicitly allowed, so opportunistic scans and brute-force attempts are dropped at the door.

On systems using OpenSSH, the sshd process reads its configuration from /etc/ssh/sshd_config during startup. Access control directives such as AllowUsers and DenyUsers understand patterns of the form user@host, which makes it possible to express rules that depend on both the account name and the remote host or IP address. When an incoming connection matches one of these patterns, sshd either permits the session to continue or terminates it before authentication completes.

IP-based rules complement firewall policies and key-based authentication rather than replacing them. Order and syntax matter, because conflicting patterns can silently exclude legitimate administrators or leave unintended access paths from untrusted ranges. Editing /etc/ssh/sshd_config therefore calls for sudo privileges, a reliable console or out-of-band access, and a configuration test before restarting sshd.

1. Open the main SSH daemon configuration file /etc/ssh/sshd_config with a text editor running under sudo.

   $ sudo vi /etc/ssh/sshd_config

2. Allow access from a specific IP address for all SSH users by adding an AllowUsers rule with a wildcard user and exact source address.

   AllowUsers *@192.168.1.100

   The pattern *@192.168.1.100 matches any account logging in from the IP address 192.168.1.100.

3. Deny access from a specific IP address for all SSH users by adding a DenyUsers rule with a wildcard user and exact source address.

   DenyUsers *@192.168.1.200

   The pattern *@192.168.1.200 prevents new sessions from the IP address 192.168.1.200 regardless of the username.

4. Allow access from multiple specific IP addresses for all SSH users by listing multiple patterns on a single AllowUsers line.

   AllowUsers *@192.168.1.100 *@192.168.1.101

   Multiple patterns on one AllowUsers directive are evaluated left to right for each incoming connection.

5. Deny access from multiple specific IP addresses for all SSH users by listing multiple patterns on a single DenyUsers line.

   DenyUsers *@192.168.1.200 *@192.168.1.201

   Multiple patterns on one DenyUsers directive allow several untrusted addresses to be blocked in a single rule.

6. Allow access for an entire subnet of source addresses by using a wildcard host pattern in the AllowUsers directive.

   AllowUsers *@192.168.1.*

   The pattern *@192.168.1.* matches remote addresses in the range 192.168.1.0–192.168.1.255.

7. Deny access for an entire subnet of source addresses by using a wildcard host pattern in the DenyUsers directive.

   DenyUsers *@192.168.2.*

   An incorrect wildcard or network segment in DenyUsers can block legitimate administrator addresses and prevent remote SSH login.

8. Save the changes and close the configuration file so sshd can read the updated rules on restart.
9. Test the SSH daemon configuration for syntax and directive errors before restarting the service.

   $ sudo sshd -t

   No output indicates a valid configuration, whereas any error message reports the first problematic directive and its line number.

   Related: How to check and validate SSH server's configuration

10. Restart the SSH service to apply the new IP-based access rules.

    $ sudo systemctl restart ssh

    Related: service-manage

11. Verify that the SSH service is running correctly with the updated configuration.

    $ sudo systemctl status ssh
    ● ssh.service - OpenBSD Secure Shell server
         Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled)
         Active: active (running) since Mon 2024-05-13 10:15:01 UTC; 5s ago
    ##### snipped #####

    Some distributions use sshd.service as the unit name, in which case the status command becomes sudo systemctl status sshd.