Using TCP Wrapper in CentOS 7 for SSH Blocking

Just a brief post today to show you how to use the TCP Wrapper in CentOS to help manage access to SSH.

What is a TCP Wrapper? It's a method of blocking access to services on your CentOS server via IP restriction. As a side note, you should still always have a firewall configured, so don't confuse this as a substitute.

What we're going to be doing today is blocking access to SSH from all IPs except from the list of "allowed" IPs. The way this is achieved is via two files located in the /etc directory. One named hosts.allow and the other hosts.deny. Their respective names, give you an indication of their roles.

Now before you do this, ensure you have console access to your machine, otherwise you may lock yourself out of your own server. I can not stress this enough. Do this on a test site before you do this on your live server.

Let's get started. Log onto your server using Putty or other SSH client and using vi or your favourite editor edit the file /etc/hosts.allow. In the hosts.allow file you need to add the following syntax to allow an IP:

sshd: 4.3.200.100

Replace my example IP of 4.3.200.100 with the IP you wish to allow access to SSH on your server.

Now we're going to be editing the hosts.deny file to block all other IPs from access SSH on our server. Add the following syntax:

sshd: All

You may be thinking, if I place sshd: All in the deny file won't that block me as well? Fear not young Padawan, the system always processes the hosts.allow first before processing the hosts.deny, therefore any IPs in your allow file will be granted access.

That's all that's required. It's just a very simple little feature you can use to add extra security to your server.

One added benefit of this method is that there is a log that records all the attempts to log onto your server located at /var/log/secure. Open the file and you'll be shocked at how many attempts to access your server happen over a 24 hour period.

No Comments Yet.

Leave a comment