How to Restrict SSH Access by IP Address in Debian 12 Bookworm

Securing SSH (Secure Shell) access is a critical aspect of managing a Linux server, especially in a production environment. One of the best practices to enhance security is to restrict SSH access to specific IP addresses. This prevents unauthorized access attempts from unknown sources, reducing the risk of brute-force attacks and other security threats.

In this guide, we will walk through the steps to restrict SSH access by IP address in Debian 12 Bookworm.

Prerequisites

Before proceeding, ensure that:

• You have sudo or root privileges.
• Your system is running Debian 12 Bookworm.
• You have SSH access to the server.
• You know the IP addresses that should be allowed access.

Step 1: Check Your Current SSH Configuration

First, check your existing SSH configuration file to ensure you understand the current setup. The SSH configuration file is located at /etc/ssh/sshd_config.

To view the file, use the following command:

sudo cat /etc/ssh/sshd_config

Look for the ListenAddress, PermitRootLogin, and AllowUsers or AllowGroups directives. If they exist, take note of their values as they will affect how you configure SSH access restrictions.

Step 2: Restrict SSH Access Using AllowUsers or AllowGroups

One of the simplest ways to restrict SSH access is to use the AllowUsers or AllowGroups directive in the SSH configuration file.

Restrict Access by Specific Users

Open the SSH configuration file in a text editor:

sudo nano /etc/ssh/sshd_config

Add the following line at the end of the file, replacing your_user with the actual username and your_allowed_ip with the IP address that should have access:

AllowUsers your_user@your_allowed_ip

If you have multiple users, you can separate them with spaces:

AllowUsers user1@192.168.1.100 user2@203.0.113.50

Restrict Access by Groups

If you prefer to restrict access based on groups, use the AllowGroups directive:

AllowGroups sshgroup

Then, ensure that only the users from the specified IPs belong to that group.

Save the file and exit the editor (CTRL + X, then Y, then Enter).

Restart the SSH service to apply the changes:

sudo systemctl restart ssh

Step 3: Restrict SSH Access Using TCP Wrappers

TCP Wrappers provide another method to restrict SSH access by IP.

Edit the /etc/hosts.allow file:

sudo nano /etc/hosts.allow

Add the following line:

sshd: 192.168.1.100 203.0.113.50

This allows only the specified IP addresses to connect via SSH.

Next, edit the /etc/hosts.deny file to deny all other SSH connections:

sudo nano /etc/hosts.deny

Add this line:

sshd: ALL

Save the changes and restart the SSH service:

sudo systemctl restart ssh

Step 4: Restrict SSH Access Using UFW (Uncomplicated Firewall)

If you are using UFW, you can restrict SSH access by allowing only specific IP addresses.

First, enable UFW if it is not already enabled:

sudo ufw enable

Allow SSH access from specific IP addresses:

sudo ufw allow from 192.168.1.100 to any port 22
sudo ufw allow from 203.0.113.50 to any port 22

Deny SSH access from all other IPs:

sudo ufw deny 22/tcp

Check the UFW rules:

sudo ufw status

Restart UFW to apply changes:

sudo systemctl restart ufw

Step 5: Restrict SSH Access Using iptables

If you prefer using iptables, you can achieve the same restriction by running the following commands:

First, allow SSH access from specific IPs:

sudo iptables -A INPUT -p tcp -s 192.168.1.100 --dport 22 -j ACCEPT
sudo iptables -A INPUT -p tcp -s 203.0.113.50 --dport 22 -j ACCEPT

Then, block SSH access from all other IPs:

sudo iptables -A INPUT -p tcp --dport 22 -j DROP

Save the iptables rules:

sudo iptables-save | sudo tee /etc/iptables/rules.v4

Restart the firewall service to apply the changes:

sudo systemctl restart netfilter-persistent

Step 6: Test the Configuration

Once you have restricted SSH access, test it by attempting to connect from an allowed IP and a blocked IP. Run:

ssh your_user@your_server_ip

If you have configured everything correctly, only the specified IPs should be able to connect.

Conclusion

By restricting SSH access by IP address in Debian 12 Bookworm, you significantly enhance the security of your server. Using methods such as AllowUsers, TCP Wrappers, UFW, and iptables, you can control who has access and reduce the risk of unauthorized login attempts. Always test your configuration carefully to avoid locking yourself out of the system. If needed, consider using an out-of-band management system or physical access to regain control in case of misconfiguration.