Opening SSH to the outside world on your home LAN is a convenience if you are away from home, but a security liability. Here is how to restrict SSH access to certain IP addresses on and off your home LAN.
- Edit the /etc/hosts.allow file to include these lines, assuming your home LAN is on the 192.168.4.x nonrouting IP
block, and your work address is on the routing 1.1.1.x
IP block: Remember to add the period on the end of each
incomplete IP number.
If you have another complete IP address or range, add a
space and that range on the end.
# allow ssh login from home LAN and work LAN
sshd,sshdfwd-X11: 192.168.4. 1.1.1.x.
- Edit your /etc/hosts.deny file to include this line:
- These lines refuse SSH connections from anyone not in the IP address blocks listed.
Log out and then try logging back in to test your
configuration. Good luck!