How to disable SSH access from everywhere except for certain IPs in CentOS 7

Here’s how to do it:

This declares an internal zone with two IPs (add as many or as few as you like) and subsequently removes the SSH service from the public zone altogether. As a result, any other IP gets a message such as “Connection refused” when trying to connect via SSH.

The “–permanent” switch saves the changes. Remove it for testing or if you don’t want this change to be permanent.

The last line reloads the current firewall rules (thanks, CertDepot).

About Jay Versluis

Jay is a medical miracle known as a Super Survivor. He runs two YouTube channels, five websites and several podcast feeds. To see what else he's up to, and to support him on his mission to make the world a better place, check out his Patreon Campaign.

6 thoughts on “How to disable SSH access from everywhere except for certain IPs in CentOS 7

      1. The basics could be read here: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_Guide-TCP_Wrappers_and_xinetd-TCP_Wrappers_Configuration_Files.html

        Following your example:

        /etc/hosts.allow:
        sshd : 1.2.3.4/32, 5.6.7.8/32

        /etc/hosts.deny:
        sshd: ALL

        —————–

        You can restrict access to a wide variety of daemons. You can know whether a daemon supports or not tcp wrappers with the following command:

        $ ldd /usr/sbin/sshd | grep wrap
        libwrap.so.0 => /lib64/libwrap.so.0 (0x00007fe777cbf000)

        If libwrap is a dynamic dependency, tcp wrappers are supported.

Add your voice!