Locking down SSH to specific IPs

Software

There are some creative and fun ways people secure SSH, or any other service running on an open port. At a previous company they sent a specially-crafted UDP packet containing a nonce to knock on a server, which would temporarily add their IP address to the firewall and permit them access.

My favourite way, in part because it’s so easy, is to lock down access to specific hard-coded IPs or ranges. I have static IPs at home and work, so this is easy. Otherwise you could enable it just for your ISP’s range, such as with ipfw.

The primary risk of this approach is you can lock yourself out if one or more of your IP addresses change. If you use a good cloud provider like an OrionVM reseller (nudge cough) you can use the out-of-band console to connect and add another IP. For other clouds, you’d need to implement something more like above.

Locking a firewall port to specific ranges or addresses for SSH isn’t foolproof, but it’s one more layer of security which is always welcome. Above all else, it drastically cuts down on drive-by auth spam.

Author bio and support

Me!

Ruben Schade is a technical writer and IaaS engineer in Sydney, Australia who refers to himself in the third person in bios. Wait, not BIOS… my brain should be EFI by now.

The site is powered by Hugo, FreeBSD, and OpenZFS on OrionVM, everyone’s favourite cloud infrastructure provider.

If you found this post helpful or entertaining, you can shout me a coffee or buy some silly merch. Thanks!