Secure SSH access using hosts.allow

Securing SSH access using /etc/hosts.allow is a useful method to control which hosts are allowed to connect to your SSH server. Here’s how you can set it up:

Open /etc/hosts.allow: Use a text editor like nano or vi to open the /etc/hosts.allow file:

sudo nano /etc/hosts.allow

Allow Specific Hosts or Networks: In the hosts.allow file, you can specify which hosts or networks are allowed to connect to your SSH server. You can use either IP addresses, domain names, or network ranges. The format is:

sshd: For example, to allow connections only from a specific IP address:

sshd: 192.168.1.100

To allow connections from a specific network range:

sshd: 192.168.1.0/24

Deny All Others (Optional): By default, if a host is not explicitly allowed in hosts.allow, it will be denied access. However, if you want to explicitly deny access to all hosts except those specified in hosts.allow, you can add the following line to /etc/hosts.deny:

sshd: ALL

This above line tells the SSH daemon to deny all connections from any host not explicitly allowed in hosts.allow.

Save and Close the File: After making changes, save and close the /etc/hosts.allow file.

Restart SSH Service: Restart the SSH service for changes to take effect:

sudo systemctl restart sshd


After completing these steps, only the hosts or networks specified in /etc/hosts.allow will be allowed to connect to your SSH server. Make sure you do not lock yourself out by ensuring you have at least one entry that allows your access. Additionally, always test your configuration before logging out of the current session to avoid unintended lockouts.