×

How to Restrict SSH Access to Local Networks on Linux

How to Restrict SSH Access to Local Networks on Linux


SSH (Secure Shell) is a popular tool that allows users to connect to remote systems securely over a network. By default, SSH is accessible from any network as long as the appropriate firewall and network settings are in place.

However, sometimes you may want to restrict SSH access to only your local network for security reasons. This is especially useful in a home or office environment where you don’t want external access to your system over the internet.

In this article, we will go through the steps on how to restrict SSH access to the local network on Linux using firewall rules and SSH configurations. We will explain each step in simple terms to ensure that even a beginner can follow along.

Why Restrict SSH to the Local Network?

Restricting SSH access to only the local network can reduce the risk of unauthorized access to your system.

Here are some reasons why you may want to do this:

  • Security: Limiting access to SSH from outside networks prevents attackers from scanning or trying to brute-force your server over the internet.
  • Controlled Access: If you have multiple devices connected to the same local network, you can still manage the system without exposing it to external threats.
  • Simplicity: With local access only, you won’t need to worry about configuring extra layers of security for external access.

Understanding the Local Network

Before you start, it’s important to understand what is meant by “local network“. A local network is a group of devices connected within the same physical or wireless network, such as your home Wi-Fi or office network.

These devices share the same internal IP address range, such as 192.168.x.x or 10.0.x.x, while external devices (those on the internet) will have different IP ranges.

Step 1: Check Your Linux Local IP Address Range

To know your local network range, you first need to determine your device’s IP address using the following ip command, which will display your IP address and network information.

ip a
Check Linux IP Address

You’ll see information about the network interfaces. Look for something like 192.168.x.x or 10.0.x.x, which will tell you your local IP address.

Usually, your local IP address will be in one of these private ranges:

192.168.x.x
10.0.x.x
172.16.x.x to 172.31.x.x

For example, if your IP address is 192.168.122.63, your local network range is likely 192.168.1.0/24, which means all devices with IPs in the 192.168.1.x range are on the same local network.

Step 2: Configure SSH to Listen Only on Local Addresses

By default, SSH listens on all available network interfaces. We will change it to listen only on the local network.

sudo nano /etc/ssh/sshd_config

Find the line with #ListenAddress and uncomment it (remove the # at the start). Set it to your local IP address.

For example, if your local IP is 192.168.122.63, update the file as follows:

ListenAddress 192.168.122.63

Restart the SSH service for the changes to take effect.

sudo systemctl restart ssh
OR
sudo systemctl restart sshd

Now, your SSH server will only listen to connections from your local IP address. If you try to connect from an external network, the connection will be refused.

Step 3: Restrict SSH with Firewall Rules

While configuring the SSH daemon to listen only to local addresses is helpful, you can add an extra layer of security by setting up firewall rules, which ensures that only devices on your local network can connect via SSH, even if someone tries to access your system using your external IP.

Using UFW (Uncomplicated Firewall)

If you are using UFW, the default firewall on many Linux distributions like Ubuntu, follow these commands:

To allow SSH connections only from your local network, such as IP addresses within the 192.168.1.x range, and deny SSH connections from other networks. Be sure to reload the firewall and check its status.

sudo ufw allow from 192.168.1.0/24 to any port 22
sudo ufw deny 22
sudo ufw reload
sudo ufw status

Using Firewalld

To restrict SSH to the local network on Linux using Firewalld, follow these commands.

To allow SSH access from your local network, such as IP addresses within the 192.168.1.x range, and deny SSH connections from other networks. Be sure to reload the firewall and check its status.

sudo firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.1.0/24" port protocol="tcp" port="22" accept"
sudo firewall-cmd --permanent --add-rich-rule="rule family="ipv4" port protocol="tcp" port="22" drop"
sudo firewall-cmd --reload
sudo firewall-cmd --list-all

Using iptables

If you are not using UFW or Firewalld, you can use iptables to set up similar rules.

sudo iptables -A INPUT -p tcp -s 192.168.1.0/24 --dport 22 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 22 -j DROP
sudo iptables-save | sudo tee /etc/iptables/rules.v4
sudo iptables -L

Now, SSH access is only permitted from local devices within your network range.

Step 4: Test Your Configuration

After configuring SSH and the firewall, it’s time to test the setup to ensure everything works as expected.

From a device on your local network, try to connect to the server using SSH:

ssh [email protected]

If you have access to an external network (for example, using mobile data or a VPN), try to connect to the system’s external IP. The connection should be blocked or refused.

Additional Tips

Here are some additional tips for setting up SSH to local network:

  • Static IP: It’s a good idea to set a static IP address for the device you want to SSH into, especially if you are configuring firewall rules based on the local IP range, which will prevent your IP from changing if the router restarts.
  • VPN Access: If you need remote access from an external network, consider setting up a VPN, which will allow you to connect to your local network securely over the internet, and SSH will still only be accessible within the local network.
  • Monitor Logs: Always monitor your SSH logs for any unauthorized access attempts.

You can check the logs using the tail command:

sudo tail -f /var/log/auth.log
Conclusion

Restricting SSH access to the local network is a simple yet effective way to enhance the security of your Linux system. By following the steps in this guide, you can prevent external access to your SSH server while maintaining local access for management and administrative tasks.

With firewall rules and proper configuration, you can ensure that only trusted devices within your local network can connect via SSH, reducing the risk of unauthorized access.



Source link