Linux debian 3.16.0-4-686-pae #1 SMP Debian 3.16.39-1+deb8u2 (2017-03-07) i686 GNU/Linux
OpenSSH_6.7p1 Debian-5+deb8u3, OpenSSL 1.0.1t 3 May 2016
vim /etc/ssh/sshd_config; # open up ssh server config file
AllowUsers user1 user2 user3 # this would allow user1, user2 and user3 to login from ANY host/ip address
AllowUsers firstname.lastname@example.org email@example.com firstname.lastname@example.org # this would allow user1 ONLY to login from 0.7, user2 ONLY from 0.28 and user3 ONLY from 0.33
DebianBanner no # while you are on it - turn off that Debian-OS version info during ssh login attempts
# a little bit more security
# but SSH-Version info is still shown (it is required for clients to chose protocols)
# super-hackers may have other ways to determine which OS and ssh version your server is using
/etc/init.d/ssh restart; # do not forget to restart the service or the changes won't be applied immediately
[ ok . Restarting ssh (via systemctl): ssh.service
# if somebody who is on a "NotAllowed" host tries to login, this will show up in
tail -f /var/log/auth.log
May 5 11:48:07 debian sshd: reverse mapping checking getaddrinfo for suse.domainname.local [172.20.0.25] failed - POSSIBLE BREAK-IN ATTEMPT!
May 5 11:48:07 debian sshd: User user from 172.20.0.25 not allowed because not listed in AllowUsers
May 5 11:48:07 debian sshd: input_userauth_request: invalid user user [preauth]
May 5 11:48:08 debian sshd: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.20.0.25 user=user
May 5 11:48:10 debian sshd: Failed password for invalid user user from 172.20.0.25 port 40820 ssh2
# btw you won't even be allowed to do ssh logins from localhost
Permission denied, please try again.
inted (replaced by xinetd (replaced by netfilter and iptables))
has nothing to do with ssh… except that it is another form of access-control. just in case if you wonder why you can’t access your server.
hosts.allow overrides hosts.deny.
so if a host is listed in hosts.allow
The example below allows shows some of the possible ways to configure the hosts.allow file.
portmap : localhost : allow portmap : 10. : allow portmap : .insecure.net : allow portmap : ALL : deny sshd : ALL : allow sshd : bad.host : deny sshd : 88.4.2. : deny (1) ALL : ALL : deny