Edit the server configuration file (/etc/ssh2/sshd2_config) to control access to the server. Note: The ResolveClientHostname setting controls whether the server attempts to resolve the client IP address to a domain name, and the default is 'yes'. The resolved domain name for a client is the fully qualified domain name. This means that when you add a host to the allow or deny list using a domain name, you must either use a fully qualified domain name, or a regular expression, to ensure that host domain names are handled correctly. For example, if you deny access to the client "mypc", the client mypc.myhost.com will be able to connect. You must explicitly deny access to "mypc\.myhost\.com" or use an expression such as "mypc\..*" to ensure that this client is denied access.
The following keywords configure settings for client host computers: AllowHosts, DenyHosts, HostSpecificConfig. You can specify hosts using either IP addresses or domain names. The server first tries to match using the IP address of the client. If that fails, it tries to match using a domain name.
You can also configure the server to force a match based on IP address.
To force matching to a specific IP address, start the host expression using a backslash followed by i (\i). For example:
DenyHosts = \i123.45.78.9
To match a range of IP addresses using a CIDR (Classless Inter-Domain Routing) subnet, start the host expression using a backslash followed by m (\m). For example:
DenyHosts = \m123.123.0.0/16
Note: If you use either \i or \m regular expressions are not supported within the IP address.
NOTE:
To configure localhost in any allow or deny list, include IP addresses for all external interfaces and also the local loopback address (127.0.0.1 and 0:0:0:0:0:0:0:1).
To configure addresses in any allow or deny list, both IPv4 and IPv6 addresses must be specified. This is particularly important if you are configuring a deny list to ensure that access is blocked.
Related Topics