Restrict Remote SSH Login to IP

You could create a new rule in /etc/pf.conf along these lines:

table <goodguys> { 111.222.0.0/16, 117.30.117.55 } persist

block in proto tcp from any to any port {22}

pass in on en0 proto tcp from <goodguys> to (en0) port {22} flags S/SA keep state

Then reload pfctl:

sudo pfctl -f /etc/pf.conf -e

Note OS upgrades may overwrite your pf.conf file!

I'm a novice ssh user, but ...

man sshd_configure

AllowUsers

This keyword can be followed by a list of user name patterns, separated by spaces. If specified,

login is allowed only for user names that match one of the patterns. Only user names are valid; a

numerical user ID is not recognized. By default, login is allowed for all users. If the pattern

takes the form USER@HOST then USER and HOST are separately checked, restricting logins to particular

users from particular hosts. The allow/deny directives are processed in the following order:

DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups.

appears to be using openSSHD

hence:

http://www.unixlore.net/articles/five-minutes-to-even-more-secure-ssh.html

You should be able to specify the users that are allowed to connect via

You could also change the /etc/ssh/sshd_config to disable password logins and ONLY allow ssh-keygen created keys

...

PasswordAuthentication no

...

You will need to stop and restart sshd or send it a SIGHUP to get it to re-read the updated sshd_config file. (see 'man sshd' and 'man sshd_config').

I'm sorry, but I do not have any clues about pf.conf and restricting connections from IP addresses that are not your select range.

spacegoose wrote:

I tried AllowUsers foo@123.456.789.10 in sshd_config and it didn't work.

It's not clear if it's even possible to manually configure the firewall. It seems like it's really an application only firewall?

Regards,

SG

Did you restart sshd after changing the /etc/ssh/sshd_config file?

Just uncheck "Remote Login", and then re-check "Remote Login" in the Sharing preferences.

I think you need to disallow all other user/ip addresses. etc.

Did you make this change in your vm? What os in the vm?

R

Maybe you should try a 'block', followed by a 'pass'. My limited google search reading says all are enabled by default. That all rules are read and a specific request may be denied, then allowed, then denied, allowed, etc... until the last rule is processed. So I'm suggesting you start by blocking all ssh access, then allow access from your subset of ports.

NOTE: The following is totally untested, and could be full of syntax errors

table <my_ssh_allow_table> { 123.456.789.10, 123.456.789.11, 192.168.1.0/24 }

block in all proto tcp to any port ssh

pass in proto tcp from <my_ssh_allow_table> to any port ssh

The <ssh_allow_set> has 2 specific IP address, and all typical local LAN addresses, assuming your router using 192.168.1.* as the local LAN IP address range. Adjust all the addresses accordingly.

Again, I do not have a clue if this is good syntax or not.