Restricting SSH logins to particular IP addresses
Posted by Steve on Mon 28 Jan 2013 at 23:37
Many people use SSH keys for password-less logins, and the increase in security that keys provide over (traditionally weaker) passwords. But few people seem to realize that you can also restrict logins to known-good IP addresses, via that same mechanism.
It has to be said that if you've got root access upon a server one way to restrict people connecting to your machine is to use a firewall. The venerable iptables firewall primitive makes this easy.
However you can usefully use IP address restrictions even in combination with a firewall, for example you might wish to allow your users to login from within your network, but only allow an auto-build user to login from a remote jenkins server - to clone some source code, for example.
The basic mechanism is straight-forward enough, rather than just storing the public-part of a key to your users ~/.ssh/authorized_keys file you also store some configuration entries.
To restrict the user bob to remote logins from the single IP address 18.104.22.168 you would use this in the ~bob/.ssh/authorized_keys file:
from="22.214.171.124" ssh-rsa ....
Here we've added the "from="126.96.36.199"" section, prior to the key for the user. This is just one of the options you can add, and the quoted value is a list of comma-separated hosts from which the login will be allowed.
If you wished to allow logins from several sources you could use something like this:
from="188.8.131.52/24,184.108.40.206" ssh-rsa ...
In addition to the IP-address restrictions you can configure several other things, such as denying the use of agent-forwarding, denying the use of port-forwards, & etc.
The other options are comma-separated too, and are documented in the manpage for sshd, under the section "AUTHORIZED_KEYS FILE FORMAT". As a good example of a secure login this is a good start:
from="220.127.116.11",no-agent-forwarding,no-port-forwarding,no-X11-forwarding ssh-rsa ...
This disables the use of agent-forwarding, port-forwarding, etc. whilst still allowing interactive logins. If you were using SSH for special-purpose logins you could restrict things further, by denying interactive login-shells and forcing the execution of a particular command:
command="/usr/local/bin/my-prog" ssh-rsa ..
This is useful for remote backups carried out via rsync + ssh, as it can ensure that your remote user can only execute the expected command - and not anything else.