How Can I Allow or Deny Login from Specific Users or IP Addresses to an ECS Using SSH?
Scenarios
This section describes how to allow or deny specific users or IP addresses to access an ECS using SSH.
Constraints
- DenyHosts has been installed on the ECS.
- Restarting the sshd service at a time that does not affect service running.
Method 1: Edit the sshd Configuration File
- Allowing Specific Users (Whitelist)
Add the usernames and IP addresses to be allowed to AllowUsers in the /etc/ssh/sshd_config. For example, to allow user test to access the ECS through 192.168.1.2, add test@192.168.1.2 to AllowUsers:
AllowUsers test@192.168.1.2
After the configuration takes effect, only the allowed users can log in to the ECS.
- Denying Specific Users (Blacklist)
Add the usernames to be denied to DenyUsers in the /etc/ssh/sshd_config. For example, to deny user testuser to access the ECS, add testuser to DenyUsers:
DenyUsers testuser
Restart sshd for the modifications to take effect.
For CentOS 6, run the following command:
service sshd restart
For CentOS 7 or EulerOS, run the following command:
systemctl restart sshd
Method 2: Use DenyHosts
The /etc/hosts.allow and /etc/hosts.deny files of a Linux ECS are used to allow or deny access from an IP address or an IP address range to the ECS using SSH.
- To allow the IP address 192.168.1.3 to access the ECS using SSH, add the following content to the /etc/hosts.allow file:
sshd: 192.168.1.3
- To deny all IP addresses to access the ECS using SSH, add the following content to the /etc/hosts.deny file:
sshd: ALL
hosts.allow has a higher priority than hosts.deny. In the preceding example, only SSH login from 192.168.1.3 is allowed. All other SSH connections to the ECS will be denied.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
