Last Updated: February 25, 2016
· codebison

Limit ssh access by IP address

To limit ssh access to a linux box based on originating IP address, edit /etc/hosts.allow:

sshd : localhost : allow
sshd : 192.168.0. : allow
sshd : : allow
sshd : : allow
sshd : ALL : deny

The above entry will allow ssh access from localhost, the 192.168.0.x subnet, the single IP address, and (assuming has a ptr record in place to facilitate reverse lookup). All other IP addresses will be denied access to sshd.


  • You can allow or deny based on ip address, subnet, or hostname.
  • List rules in order of most to least specific. The file only gets read until a matching line is found, so if you start with ssdh : ALL : deny, no ssh connections will be allowed.
  • You can control access to other tcp wrapped services as well - see the hosts.allow man page for details: