Help Center/ Elastic Cloud Server/ Troubleshooting/ SSH Connection Issues/ How Can I Allow or Deny Login from Specific Users or IP Addresses to an ECS Using SSH?
Updated on 2024-08-15 GMT+08:00

How Can I Allow or Deny Login from Specific Users or IP Addresses to an ECS Using SSH?

Scenarios

This section describes how to allow or deny specific users or IP addresses to access an ECS using SSH.

Constraints

  • DenyHosts has been installed on the ECS.
  • Restarting the sshd service at a time that does not affect service running.

Method 1: Edit the sshd Configuration File

  1. Allowing Specific Users (Whitelist)

    Add the usernames and IP addresses to be allowed to AllowUsers in the /etc/ssh/sshd_config. For example, to allow user test to access the ECS through 192.168.1.2, add test@192.168.1.2 to AllowUsers:

    AllowUsers test@192.168.1.2

    After the configuration takes effect, only the allowed users can log in to the ECS.

  2. Denying Specific Users (Blacklist)

    Add the usernames to be denied to DenyUsers in the /etc/ssh/sshd_config. For example, to deny user testuser to access the ECS, add testuser to DenyUsers:

    DenyUsers testuser 

    Restart sshd for the modifications to take effect.

    For CentOS 6, run the following command:

    service sshd restart

    For CentOS 7 or EulerOS, run the following command:

    systemctl restart sshd

Method 2: Use DenyHosts

The /etc/hosts.allow and /etc/hosts.deny files of a Linux ECS are used to allow or deny access from an IP address or an IP address range to the ECS using SSH.

  1. To allow the IP address 192.168.1.3 to access the ECS using SSH, add the following content to the /etc/hosts.allow file:
    sshd: 192.168.1.3
  2. To deny all IP addresses to access the ECS using SSH, add the following content to the /etc/hosts.deny file:
    sshd: ALL

    hosts.allow has a higher priority than hosts.deny. In the preceding example, only SSH login from 192.168.1.3 is allowed. All other SSH connections to the ECS will be denied.