SSH (Secure Shell) is a popular tool that allows users to connect to remote systems securely over a network. By default, SSH is accessible from any network as long as the appropriate firewall and network settings are in place.
However, sometimes you may want to restrict SSH access to only your local network for security reasons. This is especially useful in a home or office environment where you don’t want external access to your system over the internet.
In this article, we will go through the steps on how to restrict SSH access to the local network on Linux using firewall rules and SSH configurations. We will explain each step in simple terms to ensure that even a beginner can follow along.
Why Restrict SSH to the Local Network?
Restricting SSH access to only the local network can reduce the risk of unauthorized access to your system.
Here are some reasons why you may want to do this:
- Security: Limiting access to SSH from outside networks prevents attackers from scanning or trying to brute-force your server over the internet.
- Controlled Access: If you have multiple devices connected to the same local network, you can still manage the system without exposing it to external threats.
- Simplicity: With local access only, you won’t need to worry about configuring extra layers of security for external access.
Understanding the Local Network
Before you start, it’s important to understand what is meant by “local network“. A local network is a group of devices connected within the same physical or wireless network, such as your home Wi-Fi or office network.
These devices share the same internal IP address range, such as 192.168.x.x or 10.0.x.x, while external devices (those on the internet) will have different IP ranges.
Step 1: Check Your Linux Local IP Address Range
To know your local network range, you first need to determine your device’s IP address using the following ip command, which will display your IP address and network information.
ip a
You’ll see information about the network interfaces. Look for something like 192.168.x.x or 10.0.x.x, which will tell you your local IP address.
Usually, your local IP address will be in one of these private ranges:
192.168.x.x 10.0.x.x 172.16.x.x to 172.31.x.x
For example, if your IP address is 192.168.122.63, your local network range is likely 192.168.1.0/24, which means all devices with IPs in the 192.168.1.x range are on the same local network.
Step 2: Configure SSH to Listen Only on Local Addresses
By default, SSH listens on all available network interfaces. We will change it to listen only on the local network.
sudo nano /etc/ssh/sshd_config
Find the line with #ListenAddress and uncomment it (remove the # at the start). Set it to your local IP address.
For example, if your local IP is 192.168.122.63, update the file as follows:
ListenAddress 192.168.122.63
Restart the SSH service for the changes to take effect.
sudo systemctl restart ssh OR sudo systemctl restart sshd
Now, your SSH server will only listen to connections from your local IP address. If you try to connect from an external network, the connection will be refused.
Step 3: Restrict SSH with Firewall Rules
While configuring the SSH daemon to listen only to local addresses is helpful, you can add an extra layer of security by setting up firewall rules, which ensures that only devices on your local network can connect via SSH, even if someone tries to access your system using your external IP.
Using UFW (Uncomplicated Firewall)
If you are using UFW, the default firewall on many Linux distributions like Ubuntu, follow these commands:
To allow SSH connections only from your local network, such as IP addresses within the 192.168.1.x range, and deny SSH connections from other networks. Be sure to reload the firewall and check its status.
sudo ufw allow from 192.168.1.0/24 to any port 22 sudo ufw deny 22 sudo ufw reload sudo ufw status
Using Firewalld
To restrict SSH to the local network on Linux using Firewalld, follow these commands.
To allow SSH access from your local network, such as IP addresses within the 192.168.1.x range, and deny SSH connections from other networks. Be sure to reload the firewall and check its status.
sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" port protocol="tcp" port="22" accept' sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" port protocol="tcp" port="22" drop' sudo firewall-cmd --reload sudo firewall-cmd --list-all
Using iptables
If you are not using UFW or Firewalld, you can use iptables to set up similar rules.
sudo iptables -A INPUT -p tcp -s 192.168.1.0/24 --dport 22 -j ACCEPT sudo iptables -A INPUT -p tcp --dport 22 -j DROP sudo iptables-save | sudo tee /etc/iptables/rules.v4 sudo iptables -L
Now, SSH access is only permitted from local devices within your network range.
Step 4: Test Your Configuration
After configuring SSH and the firewall, it’s time to test the setup to ensure everything works as expected.
From a device on your local network, try to connect to the server using SSH:
ssh [email protected]
If you have access to an external network (for example, using mobile data or a VPN), try to connect to the system’s external IP. The connection should be blocked or refused.
Additional Tips
Here are some additional tips for setting up SSH to local network:
- Static IP: It’s a good idea to set a static IP address for the device you want to SSH into, especially if you are configuring firewall rules based on the local IP range, which will prevent your IP from changing if the router restarts.
- VPN Access: If you need remote access from an external network, consider setting up a VPN, which will allow you to connect to your local network securely over the internet, and SSH will still only be accessible within the local network.
- Monitor Logs: Always monitor your SSH logs for any unauthorized access attempts.
You can check the logs using the tail command:
sudo tail -f /var/log/auth.log
Conclusion
Restricting SSH access to the local network is a simple yet effective way to enhance the security of your Linux system. By following the steps in this guide, you can prevent external access to your SSH server while maintaining local access for management and administrative tasks.
With firewall rules and proper configuration, you can ensure that only trusted devices within your local network can connect via SSH, reducing the risk of unauthorized access.
The above is the detailed content of How to Restrict SSH Access to Local Networks on Linux. For more information, please follow other related articles on the PHP Chinese website!
How to Create GUI Applications In Linux Using PyGObjectMay 13, 2025 am 11:09 AMCreating graphical user interface (GUI) applications is a fantastic way to bring your ideas to life and make your programs more user-friendly. PyGObject is a Python library that allows developers to create GUI applications on Linux desktops using the
How to Install LAMP Stack with PhpMyAdmin in Arch LinuxMay 13, 2025 am 11:01 AMArch Linux provides a flexible cutting-edge system environment and is a powerfully suited solution for developing web applications on small non-critical systems because is a completely open source and provides the latest up-to-date releases on kernel
How to Install LEMP (Nginx, PHP, MariaDB) on Arch LinuxMay 13, 2025 am 10:43 AMDue to its Rolling Release model which embraces cutting-edge software Arch Linux was not designed and developed to run as a server to provide reliable network services because it requires extra time for maintenance, constant upgrades, and sensible fi
![12 Must-Have Linux Console [Terminal] File Managers](https://img.php.cn/upload/article/001/242/473/174710245395762.png?x-oss-process=image/resize,p_40)
12 Must-Have Linux Console [Terminal] File ManagersMay 13, 2025 am 10:14 AMLinux console file managers can be very helpful in day-to-day tasks, when managing files on a local machine, or when connected to a remote one. The visual console representation of the directory helps us quickly perform file/folder operations and sav
qBittorrent: A Powerful Open-Source BitTorrent ClientMay 13, 2025 am 10:12 AMqBittorrent is a popular open-source BitTorrent client that allows users to download and share files over the internet. The latest version, qBittorrent 5.0, was released recently and comes packed with new features and improvements. This article will
Setup Nginx Virtual Hosts, phpMyAdmin, and SSL on Arch LinuxMay 13, 2025 am 10:03 AMThe previous Arch Linux LEMP article just covered basic stuff, from installing network services (Nginx, PHP, MySQL, and PhpMyAdmin) and configuring minimal security required for MySQL server and PhpMyadmin. This topic is strictly related to the forme
Zenity: Building GTK Dialogs in Shell ScriptsMay 13, 2025 am 09:38 AMZenity is a tool that allows you to create graphical dialog boxes in Linux using the command line. It uses GTK , a toolkit for creating graphical user interfaces (GUIs), making it easy to add visual elements to your scripts. Zenity can be extremely u
Top 22 Best Music Players for LinuxMay 13, 2025 am 09:25 AMSome may describe it as their passion, while others may consider it a stress reliever or a part of their daily life. In every form, listening to music has become an inseparable part of our lives. Music plays different roles in our lives. Sometimes it
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
MinGW - Minimalist GNU for Windows
This project is in the process of being migrated to osdn.net/projects/mingw, you can continue to follow us there. MinGW: A native Windows port of the GNU Compiler Collection (GCC), freely distributable import libraries and header files for building native Windows applications; includes extensions to the MSVC runtime to support C99 functionality. All MinGW software can run on 64-bit Windows platforms.
Dreamweaver Mac version
Visual web development tools
MantisBT
Mantis is an easy-to-deploy web-based defect tracking tool designed to aid in product defect tracking. It requires PHP, MySQL and a web server. Check out our demo and hosting services.
WebStorm Mac version
Useful JavaScript development tools
Zend Studio 13.0.1
Powerful PHP integrated development environment
