How would I make it so that you can only SSH into a box if you are on the same local network as it?

didymus

New Member
Joined
Feb 11, 2021
Messages
3
Reaction score
0
Credits
48
I'm not 100% sure if this can be done, but I imagine it has to be possible. I'm just not sure why I've never encountered it being set up like this. Maybe I'm just inexperienced. Please enlighten me. I'm having trouble searching about this.

Thank you
 


Edit you sshd_config (this is normally in /etc/ssh

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

Change this line to whatever subnet you are on.

ListenAddress 192.168.1.0
 
If you are talking about your own local home lan, you should be fine because for an external internet source to get to your ssh port on a machine on your home lan you would need to setup port forwarding in your ISP router. Getting to your question, if you only want certain ip addresses on your local home lan to be able access the ssh port of a certain system you can setup firewall rules that only allow those specific ip address to access the ssh port. And another way of doing it would be to do what @dos2unix mentioned, there are usually several ways of doing something.
 
Last edited:
Don't know much about ssh since I don't use it, but just bumped into this article while checking my feed, and just below(in my feed)was this thread, so I thought it might be helpful, if not with this in particular, for something else :)
 
If you are talking about your own local home lan, you should be fine because for an external internet source to get to your ssh port on a machine on your home lan you would need to setup port forwarding in your ISP router.

This is the method I use. I just don't forward the port at the router.

It's definitely the lazy method and probably not the greatest idea if there's any chance of someone malicious being on the same LAN.
 
First, allow ssh in hosts.allow from ONLY your subnet.

Edit /etc/hosts.allow and add:
sshd: 192.168.1.0/24 (or whatever your subnet is)

Then deny all for ssh in hosts.deny.

Edit /etc/hosts.deny and add.
sshd: ALL

Oh and don't forget to disable ssh as root in your sshd_config
 
Last edited:
This is the method I use. I just don't forward the port at the router.

It's definitely the lazy method and probably not the greatest idea if there's any chance of someone malicious being on the same LAN.
Port forwarding ssh is incredibly dangerous. Install a vpn. (SoftEther, OpenVPN, or Pritunl or something)

Besides, if you port forward ssh, the subnet blocking won't matter because the router likely has NAT enabled. It will just appear as though they are coming from the router which is on the subnet you likely do not want to block.
 

Members online


Latest posts

Top