This guide helps you keep your Linux server safe by allowing only trusted people to connect to it via SSH. SSH is like a secure door to your server, and you can control who gets through.
We will show you how to allow only specific computers (by their IP address) to log in, and block everyone else. This helps stop hackers from trying to guess your password.
Table of Contents
Why does this matter?
- Hackers frequently attempt password guessing (also known as “brute force attacks”).
- Hackers will find it far more difficult to gain access if you only let trusted computers connect.
- No one else can log in, but you can still do so from your laptop, phone, or business computer.
Important safety tips before you start
- When testing, keep your SSH session open and never close it.
- Maintain a backup method of accessing your server, such as a console or KVM.
- Before making any changes, always create a backup of your configuration.
- Carefully test; if something goes wrong, you can revert to the previous configuration.
Backup command:
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.backup
Disable Root Login
The root account is the most powerful on your server. If hackers guess the password, they can take full control. Disabling root login adds a big layer of security.
- Open the SSH configuration file:
sudo nano /etc/ssh/sshd_config
- Find the line that says:
PermitRootLogin yes
- Change it to:
PermitRootLogin no
- Save the file and restart SSH:
sudo systemctl restart sshd
Note: You can still log in as root using sudo after logging in as a regular user.
Change the SSH Default Port
Port 22 is the most targeted port by hackers. Changing it to something like 2222 or 4444 makes your server less visible to automated attacks.
- In the same file (/etc/ssh/sshd_config), find the line:
#Port 22
- Uncomment it (remove the #) and change it to a new port:
Port 2222
- Save the file and restart SSH:
sudo systemctl restart sshd
Important: Ensure your firewall allows the new port!
- For example, if you use firewalld, run:
sudo firewall-cmd --permanent --add-port=2222/tcp sudo firewall-cmd --reload
Different methods to restrict SSH Access
Method 1: Use the SSH Settings File (Best for All Systems)
You can alter the SSH settings to only allow certain people from specific computers.
Option A: Allow Only Specific Users from Specific IPs
Let’s say you have a user named John and you only want him to be able to log in from a computer that has the IP address 192.168.1.10, such as your home computer.
Step-by-step:
- Open the SSH settings file:
sudo nano /etc/ssh/sshd_config
- Add this line:
AllowUsers [email protected]
This means: “Only user John can log in, and only from the computer at 192.168.1.10.”
- Save the file and restart SSH:
sudo systemctl restart sshd
- Test: Try to log in from your trusted computer; it should work.
Option B: Use More Advanced Rules (For Complex Needs)
You can also say:
“Allow John from 192.168.1.10″
“But block John from all other computers”
Step-by-step:
-
- Open the SSH settings file:
sudo nano /etc/ssh/sshd_config
- Add this:
- Open the SSH settings file:
Match User john Address 192.168.1.10
PasswordAuthentication yes
Match User john Address ! 192.168.1.10
DenyUsers john
-
- This means: “If John tries to log in from 192.168.1.10, allow it.
- If John tries to log in from any other computer, block it.
- Save the file and restart SSH:
sudo systemctl restart sshd
Method 2: Use TCP Wrappers (Only for Older Systems)
Important: This method only works on older Linux systems like CentOS 7. It doesn’t work on modern systems like AlmaLinux 8+, Rocky Linux 8+, or Ubuntu 20.04+.
If you are using a newer system, skip this method.
How It Works:
- You can create a list of allowed IPs.
- Any computer not on the list will be blocked.
Step-by-step:
- Open the allowed list:
sudo nano /etc/hosts.allow
- Add your trusted IP:
sshd: 192.168.1.10
- Open the blocked list:
sudo nano /etc/hosts.deny
- Add this line:
sshd: ALL
This means: “Block everyone except the IPs listed in /etc/hosts.allow.”
- No restart required; changes take effect immediately.
Method 3: Use a Firewall (Best for Modern Systems)
Modern systems like AlmaLinux 8+, Rocky Linux 8+, and Ubuntu 20.04+ do not support TCP wrappers. So we use a firewall instead.
A firewall controls who can enter, much like a security guard at the door.
For AlmaLinux, CentOS 8+, or Rocky Linux:
- Open the firewall:
sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.1.10" service name="ssh" accept'
This means: “Allow SSH access only from 192.168.1.10.”
- Apply the changes:
sudo firewall-cmd --reload
- Check if it is working:
sudo firewall-cmd --list-all
For Ubuntu or Debian:
- Open the firewall:
sudo ufw allow from 192.168.1.10 to any port 22
- Enable the firewall:
sudo ufw enable
- Check rules:
sudo ufw status verbose
How to Test Your Setup?
- Keep your current SSH session open, don’t close it.
- Open a new terminal.
- Try to log in from your trusted computer:
ssh john@your-server-ip - Try from a different computer:
It should fail or time out.
How to Verify Everything Works Well?
- Check if your rules are active:
sudo sshd -T | grep -i allow
- Check firewall rules:
sudo firewall-cmd --list-all
- Check logs for failed attempts:
sudo tail -f /var/log/auth.log
Best Practices for Everyone
- Use a firewall; it’s the most reliable method on modern systems.
- Use SSH keys instead of passwords, and use special keys (like a digital ID card).
- Keep your server updated and install security patches regularly.
- Document your allowed IPs; write down which computers can connect.
- Use a VPN; instead of opening SSH to the internet, use a private network.
SSH Access Compatibility by Operating System
- AlmaLinux 8+ / Rocky Linux 8+ / CentOS 8+
These modern RHEL-based systems work best with SSH settings + firewall rules. - CentOS 7
Older OS versions where TCP Wrappers are still supported, along with normal SSH configuration. - Ubuntu 20.04+ / Debian 10+
These Debian-based systems commonly use SSH settings + UFW for access management.
Troubleshooting
If you get locked out:
- Use console access (like a KVM or remote console).
- Restore the backup:
sudo cp /etc/ssh/sshd_config.backup /etc/ssh/sshd_config
- Restart SSH:
sudo systemctl restart sshd
- If rules don’t work:
- Check for typos in the IP address.
- Make sure the service was restarted.
- Verify the firewall is not blocking SSH.
In this manner, your server?is much safer?from hackers. It significantly strengthens SSH security and helps safeguard your server against illegal logins.
A Linux VPS Hosting solution provides full root access and the flexibility needed to manage SSH policies, firewall rules and secure remote administration.
Want to secure access in Plesk too? Learn How to restrict IP address for administrator access in Plesk