How would I make it so that you can only SSH into a box if you are on the same local network as it?

didymus

New Member
Credits
33
I'm not 100% sure if this can be done, but I imagine it has to be possible. I'm just not sure why I've never encountered it being set up like this. Maybe I'm just inexperienced. Please enlighten me. I'm having trouble searching about this.

Thank you
 


dos2unix

Well-Known Member
Credits
4,311
Edit you sshd_config (this is normally in /etc/ssh

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

Change this line to whatever subnet you are on.

ListenAddress 192.168.1.0
 

f33dm3bits

Gold Member
Gold Supporter
Credits
24,128
If you are talking about your own local home lan, you should be fine because for an external internet source to get to your ssh port on a machine on your home lan you would need to setup port forwarding in your ISP router. Getting to your question, if you only want certain ip addresses on your local home lan to be able access the ssh port of a certain system you can setup firewall rules that only allow those specific ip address to access the ssh port. And another way of doing it would be to do what @dos2unix mentioned, there are usually several ways of doing something.
 
Last edited:

Tolkem

Well-Known Member
Credits
8,314
Don't know much about ssh since I don't use it, but just bumped into this article while checking my feed, and just below(in my feed)was this thread, so I thought it might be helpful, if not with this in particular, for something else :)
 

KGIII

Super Moderator
Staff member
Gold Supporter
Credits
25,834
If you are talking about your own local home lan, you should be fine because for an external internet source to get to your ssh port on a machine on your home lan you would need to setup port forwarding in your ISP router.
This is the method I use. I just don't forward the port at the router.

It's definitely the lazy method and probably not the greatest idea if there's any chance of someone malicious being on the same LAN.
 

dcbrown73

Well-Known Member
Credits
2,819
First, allow ssh in hosts.allow from ONLY your subnet.

Edit /etc/hosts.allow and add:
sshd: 192.168.1.0/24 (or whatever your subnet is)

Then deny all for ssh in hosts.deny.

Edit /etc/hosts.deny and add.
sshd: ALL

Oh and don't forget to disable ssh as root in your sshd_config
 
Last edited:

dcbrown73

Well-Known Member
Credits
2,819
This is the method I use. I just don't forward the port at the router.

It's definitely the lazy method and probably not the greatest idea if there's any chance of someone malicious being on the same LAN.
Port forwarding ssh is incredibly dangerous. Install a vpn. (SoftEther, OpenVPN, or Pritunl or something)

Besides, if you port forward ssh, the subnet blocking won't matter because the router likely has NAT enabled. It will just appear as though they are coming from the router which is on the subnet you likely do not want to block.
 
$100 Digital Ocean Credit
Get a free VM to test out Linux!

Members online


Top