Restrict SSH Access Using tcpd (TCPWrapper) on Linux or Unix

by Posted on

How do I use tcpd on a Linux to restrict ssh access?

The tcpd is use to access control facility for internet services. The tcpd program can be set up to monitor incoming requests for telnet, finger, ftp, exec, rsh, rlogin, tftp, sshd and other services that have a one-to-one mapping onto executable files. Your sshd server must be configuring (compiled with) to support tcpd. You can find out tcpd (tcpwrapper) support easily with the following command:
# strings $(which sshd)| grep libwrap
Sample outputs:

libwrap.so.0
libwrap refuse returns

If you see libwrap as output (as shown above) then you can use tcpd as follows to monitor incoming ssh requests.

Configuration

Open or edit file /etc/hosts.deny using a text editor such as vi. This file lists hosts or IPs that are not allowed to access the system. In this example, you will block sshd server TCP port 22 for selected IPs.

Examples

Let us say you would like to deny access to IPs 202.54.1.20 64.66.44.22 64.66.44.25:
# vi /etc/hosts.deny
Add/append the following line:

sshd: 202.54.1.20 64.66.44.22 64.66.44.25

Save and close the file. Next, make sure your rules are correct and run syntax check using the following command:
# tcpdchk -v
Sample outputs:

Using network configuration file: /etc/inetd.conf

>>> Rule /etc/hosts.deny line 20:
daemons:  sshd
clients:  202.54.1.20 64.66.44.22 64.66.44.25
access:   denied
See also:

Posted by: SXI ADMIN

The author is the creator of SXI LLC and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.

Published by SXI ADMIN