# tested on
uname -a
Linux debian 3.16.0-4-686-pae #1 SMP Debian 3.16.39-1+deb8u2 (2017-03-07) i686 GNU/Linux
ssh -V
OpenSSH_6.7p1 Debian-5+deb8u3, OpenSSL 1.0.1t 3 May 2016

vim /etc/ssh/sshd_config; # open up ssh server config file

AllowUsers user1 user2 user3 # this would allow user1, user2 and user3 to login from ANY host/ip address
AllowUsers user1@172.20.0.7 user2@172.20.0.28 user2@172.20.0.33 # this would allow user1 ONLY to login from 0.7, user2 ONLY from 0.28 and user3 ONLY from 0.33
DebianBanner no # while you are on it - turn off that Debian-OS version info during ssh login attempts
# a little bit more security
# but SSH-Version info is still shown (it is required for clients to chose protocols)
# super-hackers may have other ways to determine which OS and ssh version your server is using

/etc/init.d/ssh restart; # do not forget to restart the service or the changes won't be applied immediately
[ ok . Restarting ssh (via systemctl): ssh.service

# if somebody who is on a "NotAllowed" host tries to login, this will show up in

tail -f /var/log/auth.log
May 5 11:48:07 debian sshd[2246]: reverse mapping checking getaddrinfo for suse.domainname.local [172.20.0.25] failed - POSSIBLE BREAK-IN ATTEMPT!
May 5 11:48:07 debian sshd[2246]: User user from 172.20.0.25 not allowed because not listed in AllowUsers
May 5 11:48:07 debian sshd[2246]: input_userauth_request: invalid user user [preauth]
May 5 11:48:08 debian sshd[2246]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.20.0.25 user=user
May 5 11:48:10 debian sshd[2246]: Failed password for invalid user user from 172.20.0.25 port 40820 ssh2

# btw you won't even be allowed to do ssh logins from localhost

ssh user@localhost
user@localhost's password:
Permission denied, please try again.

inted (replaced by xinetd (replaced by netfilter and iptables))

has nothing to do with ssh… except that it is another form of access-control. just in case if you wonder why you can’t access your server.

hosts_access.man.txt

/etc/hosts.allow

/etc/hosts.deny

hosts.allow overrides hosts.deny.

so if a host is listed in hosts.allow

The example below allows shows some of the possible ways to configure the hosts.allow file.

	portmap : localhost : allow
	portmap : 10. : allow
	portmap : .insecure.net : allow
	portmap : ALL : deny
	
	sshd : ALL : allow
	sshd : bad.host : deny
	sshd : 88.4.2. : deny (1)
	
	ALL : ALL : deny

(src)

Links:

LPIC-1 102 110.2 Setup host security

see more here: http://dwaves.de/2017/05/04/linux-security-config-hosts-deny-hosts-allow/

http://dwaves.de/2017/06/08/lpic-1-102-110-2-setup-host-security/

http://dwaves.de/2017/05/05/linux-bash-config-ssh-to-allow-only-login-from-specific-usersspecific-hosts-sshd-allowusers/

admin