How to Restrict SSH Access to Selected IP on macOS

Networksshterminal

I want to restrict ssh access on macOS 10.12 to selected IPs on my local network. I tried writing the following files:

# /etc/hosts.allow
sshd: 192.168.1.32
sshd: 192.168.1.33

# /etc/hosts.deny
sshd: ALL

Then restarting with:

sudo launchctl unload /System/Library/LaunchDaemons/ssh.plist
sudo launchctl load /System/Library/LaunchDaemons/ssh.plist

Unloading ssh.plist successfully disabled ssh, but after reloading I can still connect from any IP.

How can I configure an IP whitelist?

Best Answer

hosts.allow and hosts.deny are only used when you run the service (sshd) through TCP wrappers. The default macOS install does not do that, so they will not have any effect.

As recommended by other answers, you could use a firewall to restrict access to SSH. This could be a hardware (i.e. "external") firewall or a software firewall such as the built-in pf firewall.

However, I wouldn't recommend using a firewall only. The best is to limit the sshd service itself - and if you want, you can add the firewall protection to that. The reasoning behind that is that if for some reason your firewall gets disabled, outside users would suddenly be allowed access to communicate with sshd - you really do not want that.

In order to configure sshd to limit access, you will need to edit the file /etc/ssh/sshd_config, and add the following:

AllowUsers username@192.168.1.32 username@192.168.1.33

where you replace "username" with your actual username.

If you want you can replace parts with * to denote a wildcard, such as for example username@192.168.1.* or *@192.168.1.32. You can read more about the options in the man page for sshd_config.

Related Solutions

SSH Access – Restrict Remote Login to Specific IP Ranges on MacOS

From man sshd:

/etc/hosts.allow
/etc/hosts.deny
Access controls that should be enforced by tcp-wrappers are defined here.  
Further details are described in hosts_access(5).

https://debian-administration.org/article/87/Keeping_SSH_access_secure offers these examples:

# /etc/hosts.allow
sshd: 1.2.3.0/255.255.255.0
sshd: 192.168.0.0/255.255.255.0

# /etc/hosts.deny
sshd: ALL

The TCP wrapper program in Mac OS X is: tcpd

How to enable multiple sshd ports in Mountain Lion

Welp, I found the answer after a few more days of research, with the help of a response to this MacWorld post I thought there had to be some way to include multiple ports in the one .plist file, but I couldn't figure it out. You can add an "Alternate Listener" key to ssh.plist for the extra port inside the Sockets scope, such as:

 <key>Sockets</key>
 <dict>
         <key>Listeners</key>
         <dict>
            (...)
         </dict>
         <key>Alternate Listeners</key>
         <dict>
            <key>SockServiceName</key>
            <string>ssh-alt</string>
         </dict>
 </dict>

Notice the ssh-alt string for SockServiceName. The original "Listeners" key remains as is, so you have Listeners and Alternate Listeners. You have two entries in /etc/services for ssh and ssh-alt like:

ssh              22/udp
ssh              22/tcp
ssh-alt        4790/udp
ssh-alt        4790/tcp

which preserves the port 22 internal access and creates access via port 4790 for external use (assuming you disable port 22 and port forward port 4790 on your firewall/router.

Best Answer

Related Solutions

SSH Access – Restrict Remote Login to Specific IP Ranges on MacOS

How to enable multiple sshd ports in Mountain Lion

Related Question