How to Block SSH Logins for Specific Users, Groups, and IP Ranges on Linux

Background

Linux administrators often need to restrict SSH access for security or operational reasons. While firewalls and iptables can filter traffic, controlling login permissions at the user, group, or IP level provides finer granularity.

Preventing Shell Login with /sbin/nologin

Each user’s login shell is defined in /etc/passwd. By setting the shell to /sbin/nologin, the account cannot obtain an interactive shell, effectively blocking SSH login.

Create a non‑login user: useradd -s /sbin/nologin <new_username> Convert an existing user: usermod -s /sbin/nologin <username> Manually edit /etc/passwd and replace the shell field with /sbin/nologin for the target user.

Example /etc/passwd entry after modification:

root:x:0:0:root:/root:/bin/bash
myname:x:1000:1000::/home/myname:/sbin/nologin

Controlling Access via sshd_config

The SSH daemon reads /etc/ssh/sshd_config for login policies. The following directives manage which users or groups may log in:

AllowUsers – whitelist of usernames: echo "AllowUsers myname" >> /etc/ssh/sshd_config AllowGroups – whitelist of groups: echo "AllowGroups myGroup" >> /etc/ssh/sshd_config DenyUsers – blacklist of usernames: echo "DenyUsers myname" >> /etc/ssh/sshd_config DenyGroups – blacklist of groups: echo "DenyGroups myGroup" >> /etc/ssh/sshd_config Notes:

If AllowUsers or AllowGroups is set, only the listed entities can log in; all others are denied.

When both Allow* and Deny* are present, the Allow* rules take precedence.

IP‑Based Control with hosts.allow and hosts.deny

These files are processed before sshd_config. Entries follow the format sshd:IP_or_range:action, where action is allow or deny.

Allowing IPs (hosts.allow)

Single IP: echo "sshd:192.168.0.1:allow" >> /etc/hosts.allow Subnet: echo "sshd:192.168.0.0/24:allow" >> /etc/hosts.allow All addresses:

echo "sshd:ALL" >> /etc/hosts.allow

Denying IPs (hosts.deny)

Single IP: echo "sshd:192.168.0.2:deny" >> /etc/hosts.deny Subnet: echo "sshd:192.168.0.0/24:deny" >> /etc/hosts.deny All addresses: echo "sshd:ALL" >> /etc/hosts.deny When both files contain entries, hosts.allow overrides hosts.deny.

Applying Changes

After editing any of the above files, restart the SSH daemon for the changes to take effect:

systemctl restart sshd
# or
service sshd restart

Additional Hardening

To prevent ordinary users from creating new accounts that could bypass the rules, lock the critical account files:

Lock: chattr +i /etc/gshadow /etc/group /etc/shadow /etc/passwd Unlock: chattr -i /etc/gshadow /etc/group /etc/shadow /etc/passwd Verify file attributes with lsattr or ls -l.

Example Automation Script

The following Bash script demonstrates the steps described above. Save it as sshd_config-myrules.sh and execute with root privileges.

#! /bin/bash
# author: xiongzaiqiren
# date: 2023-03-20
# usage: sh sshd_config-myrules.sh

# Disable shell login for a user
useradd -s /sbin/nologin user01

# Allow specific user and group via sshd_config
echo "AllowUsers user01" >> /etc/ssh/sshd_config
echo "AllowGroups devops" >> /etc/ssh/sshd_config

# Deny a user and group
echo "DenyUsers baduser" >> /etc/ssh/sshd_config
echo "DenyGroups badgroup" >> /etc/ssh/sshd_config

# IP whitelist and blacklist
echo "sshd:192.168.1.10:allow" >> /etc/hosts.allow
echo "sshd:10.0.0.0/8:deny" >> /etc/hosts.deny

# Reload SSH service
systemctl restart sshd

Link: https://www.cnblogs.com/xiongzaiqiren/p/sshlogin.html