2024-10-24 07:58:00
SSH ( Safe shell ) is a popular tool that allows users to securely connect to remote systems over a network. By default, you can log in it has SSH from any network as long as you have the appropriate network configuration and firewall.
However, sometimes you may want to limit SSH access to only your local network for security reasons. This is especially useful in a home or office environment where you do not want external access to the system via the Internet.
In this article, we will look at steps to restrict SSH access to your local network on Linux using firewall rules and SSH configurations. We will explain each step in simple terms to ensure that even a beginner can follow it.
Why limit SSH to local network?
Restricting SSH access to your local network only can reduce the risk of unauthorized access to your system.
Here are some reasons why you might want to do this:
- Safety – Restricting SSH access from external networks prevents attackers from scanning or attempting to brute force your server onto the Internet.
- Controlled access – If you have multiple devices connected to the same local network, you can still manage the system without exposing it to external threats.
- Simplicity – With local access only, you won’t have to worry about setting up additional security levels for external access.
Understanding the local network
Before starting it is important to understand what is meant by ” red room “. A local area network is a group of devices connected within the same physical or wireless network, such as your home Wi-Fi network or office network.
These devices share the same internal IP address range, for example 192.168.xx or 10.0.xxwhile external devices (those on the Internet) will have different IP ranges.
Step 1: Check your Linux local IP address range
To find out the range of your local network, you must first determine the IP address of your device using the following ip command, which will display your IP address and network information.
ip a
To check your Linux IP address
You will see information about network interfaces. Look for something like this 192.168.xx or 10.0.xxwhich will tell you your local IP address.
Typically, your local IP address will be in one of these private ranges:
192.168.xx 10.0.xx 172.16.xx to 172.31.xx
For example, if your IP address is 192.168.122.63the range of your local network is probably 192.168.1.0/24which means all devices with IP in range 192.168.1.x They are on the same local network.
Step 2: Configure SSH to listen only on local addresses
By default, SSH listens on all available network interfaces. We will change this to listen only on the local network.
sudo nano /etc/ssh/sshd_config
Find the line with #ListenAddress and uncomment it (remove the # at the beginning). Set your local IP address.
For example, if your local IP is 192.168.122.63update the file as follows:
ListenAddress 192.168.122.63
Restart the SSH service for the changes to take effect.
sudo systemctl restart ssh
OR
sudo systemctl restart sshd
Now your server SSH It will only listen for connections from your local IP address. If you try to connect from an external network, the connection will be rejected.
Step 3: Restrict SSH with firewall rules
While it’s useful to configure the SSH daemon to only listen to local addresses, you can add an extra layer of security by configuring firewall rules, ensuring that only devices on your local network can connect via SSH, even if someone tries to access them on your system using your external IP.
Using UFW (simple firewall)
If you use UFW, the default firewall on many Linux distributions like Ubuntufollow these commands:
To allow SSH connections only from your local network, such as IP addresses in the 192.168.1.x range, and deny SSH connections from other networks, be sure to reload your firewall and check its status.
sudo ufw allow from 192.168.1.0/24 TO Anyone port 22 sudo ufw deny 22 sudo ufw reload sudo ufw state
Using firewalld
To restrict SSH to your local network on Linux using Firewalld, follow these commands.
To allow SSH access from your local network, such as IP addresses in the 192.168.1.x range, and deny SSH connections from other networks, be sure to reload your firewall and check its status.
sudo firewall-cmd –permanent –add-rich-rule=”family rule=“ipv4” source address=“192.168.1.0/24” port protocol=“TCP” port=“22” accept” sudo firewall-cmd –permanent –add-rich-rule=‘governed family=“ipv4” port protocol=“TCP” door=”22″ release’
sudo firewall-cmd –reload
sudo firewall-cmd –list-all
Using iptables
If you are not using it UFW or Firewalldyou can use iptables to configure similar rules.
sudo iptables -A INPUT -p tcp -s 192.168.1.0/24 –ddoor 22 -j ACCEPT
sudo iptables -A INPUT -p tcp –dport 22 -j DROP
# The following file name may vary in HR-based systems
# The file is: /etc/sysconfig/iptables.save, based on Debian: /etc/iptables.rules.v4sudo iptables-save | sudo tee /etc/iptables/rules.v4 sudo iptables -THE
SSH access is now only allowed from local devices within range of the network.
Step 4: Check your setup
Once you’ve set up SSH and your firewall, it’s time to test your setup to ensure everything is working as expected.
From a device on the local network, try connecting to the server using SSH:
ssh This email address is protected from spambots. You must have JavaScript enabled to view it.
If you have access to an external network (for example, using cellular data or a VPN), try connecting to the system’s external IP. The connection must be blocked or rejected.
More tips
Here are some additional tips for setting up SSH on your local network:
- Static IP – It’s a good idea to set up a static IP address for the device you want to access via SSH, especially if you’re configuring firewall rules based on the local IP range, which will prevent your IP from changing if the router reboots.
- VPN access – If you need remote access from an external network, consider setting up a VPN, which will allow you to connect to your local network securely via the Internet and SSH will only be accessible within the local network.
- Monitor logs – Always monitor your SSH logs for any unauthorized login attempts.
You can check the logs using the tail command:
sudo tail -f /var/log/auth.log
Conclusion
Restricting SSH access to your local network is a simple but effective way to improve the security of your Linux system. By following the steps in this guide, you can prevent external access to your SSH server while maintaining local access for administrative and management tasks.
With firewall rules and proper configuration, you can ensure that only trusted devices within your local network can connect via SSH, reducing the risk of unauthorized access.
#limit #SSH #connections #local #network #Linux
