All Products
Search
Document Center

How to restrict a specified user or IP address from logging on to a Linux instance through SSH

Last Updated: Apr 21, 2022

Disclaimer: This topic may contain information about third-party products. The information is for reference only. Alibaba Cloud does not make a guarantee in any form of the performance and reliability of the third-party products, and potential impacts of operations on these products.

Overview

This topic describes how to restrict users or IP addresses from logging in through SSH in Linux ECS instances.

Description

Take note of the following items:

  • Before you perform high-risk operations such as modifying the specifications or data of an Alibaba Cloud instance, we recommend that you check the disaster recovery and fault tolerance capabilities of the instance to ensure data security.
  • Before you modify the specifications or data of an Alibaba Cloud instance, such as an Elastic Compute Service (ECS) instance or an ApsaraDB RDS instance, we recommend that you create snapshots or enable backups for the instance. For example, you can enable log backups for an ApsaraDB RDS instance.
  • If you have granted specific users the permissions on sensitive information, such as usernames and passwords, or submitted sensitive information in the Alibaba Cloud Management Console, we recommend that you modify the sensitive information at the earliest opportunity.

This article provides a brief overview of the following two points.

Restrict user logons through SSH

Edit the /etc/ssh/sshd_config configuration file and add a Deny Users option similar to the following to deny the specified user login through SSH. Then, restart the SSH service.

DenyUsers zhangsan aliyun
# Deny the zhangsan and aliyun accounts to log on to the system through SSH.

Of course, you can also add AllowUsers options similar to the following to allow only specified users to log in through SSH.

Tip: After the configuration is complete, you must restart the SSH service.

AllowUsers aliyun test@192.168.1.1
# Allow aliyun and the test account logged on from 192.168.1.1 to log on to the system through SSH.

Restrict IP Address Login Through SSH

In addition to restricting a specified user from logging in through SSH, you can also restrict the specified IP address. In Linux instances, configure the /etc/hosts.allow and /etc/hosts.deny files respectively to deny or allow the specified IP address and IP address segment to remotely log on to the server through SSH. They are described as follows.

  • Edit the /etc/hosts.allow file and add content similar to the following. Only the specified IP address is allowed to log on through SSH.
    sshd:192.168.1.1:allow # This IP address 192.168.1.1 is allowed to log on through SSH. 
    sshd:192.168.2.1/24:allow # The IP address segment 192.168.2.1/24 is allowed to log on through SSH.
  • Edit the /etc/hosts.deny file and add content similar to the following to deny all IP addresses to log on through SSH.
    sshd:ALL # Deny all SSH logons
  • When setting the above two files at the same time, the priority of the rules in the hosts.allow file is higher. When setting with reference to the above two files, the server only allows 192.168.1.1 this IP address and 192.168.2.1/24 this IP address segment to log in through SSH, and other IP addresses will be denied SSH login.

Applicable scope

  • Elastic Compute Service (ECS)