How to Block SSH Logins for Specific Users, Groups, and IPs on Linux

Background

Linux systems offer several mechanisms to tighten security by restricting SSH access. Common approaches include firewall rules, iptables, and, for operational control, managing login permissions for users and groups.

Method 1 – Disable Shell Login with /sbin/nologin or /etc/passwd

Each user has a default shell defined in /etc/passwd. Setting this shell to /sbin/nologin prevents the user from obtaining an interactive session.

Create a non‑login user: useradd -s /sbin/nologin <new username> Modify an existing user: usermod -s /sbin/nologin <username> Manually edit /etc/passwd and replace the shell field with /sbin/nologin.

Example entry:

root:x:0:0:root:/root:/bin/bash
# myname:x:1000:1000::/home/myname:/bin/bash
myname:x:1000:1000::/home/myname:/sbin/nologin

Method 2 – Control Access via sshd_config

The SSH daemon configuration file /etc/ssh/sshd_config supports explicit allow/deny lists.

Allow specific users: echo "AllowUsers myname" >> /etc/ssh/sshd_config Allow specific groups: echo "AllowGroups myGroup" >> /etc/ssh/sshd_config Deny specific users: echo "DenyUsers myname" >> /etc/ssh/sshd_config Deny specific groups: echo "DenyGroups myGroup" >> /etc/ssh/sshd_config When AllowUsers or AllowGroups is set, only the listed entities may log in; all others are blocked.

If both allow and deny directives exist, the allow list takes precedence.

Blocked login attempts return the standard message “Permission denied, please try again.”

Method 3 – IP‑Based Filtering with hosts.allow and hosts.deny

These files control which client addresses are permitted or denied for specific services.

Allow rules (add to /etc/hosts.allow):

echo "sshd:192.168.0.1:allow" >> /etc/hosts.allow

echo "sshd:192.168.0.0/24:allow" >> /etc/hosts.allow

echo "sshd:ALL" >> /etc/hosts.allow

Deny rules (add to /etc/hosts.deny):

echo "sshd:192.168.0.2:deny" >> /etc/hosts.deny

echo "sshd:192.168.0.0/24:deny" >> /etc/hosts.deny

echo "sshd:ALL" >> /etc/hosts.deny

Allow entries have higher priority than deny entries.

Prevent Creation of New Users or Groups

Lock critical account files to stop ordinary users from adding new accounts:

Lock: chattr +i /etc/gshadow /etc/group /etc/shadow /etc/passwd Unlock: chattr -i /etc/gshadow /etc/group /etc/shadow /etc/passwd Check attributes with lsattr or ls -lt on the files.

Apply Changes – Restart SSH Service

After editing configuration files, restart the daemon for changes to take effect:

systemctl restart sshd
# or
service restart sshd

Sample Automation Script

A ready‑to‑run Bash script ( sshd_config-myrules.sh) demonstrates the above steps, including adding allow/deny entries, setting nologin shells, and locking files. The script prints the current configuration sections after each modification.

#! /bin/bash
# author: xiongzaiqiren
# date: 2023-03-20
# usage: sh sshd_config-myrules.sh

# Example: create a user with nologin shell
# useradd -s /sbin/nologin user01

# Show users with nologin shell
cat /etc/passwd | grep -i nologin

# Add AllowUsers entry
echo "AllowUsers user3" >> /etc/ssh/sshd_config

# Add AllowGroups entry
echo "AllowGroups 2g-admin" >> /etc/ssh/sshd_config

# Add DenyUsers entry
echo "DenyUsers user1" >> /etc/ssh/sshd_config

# Add DenyGroups entry
echo "DenyGroups 2g-admin" >> /etc/ssh/sshd_config

# IP allow via hosts.allow
echo "sshd:192.168.0.1:allow" >> /etc/hosts.allow

# IP deny via hosts.deny
echo "sshd:192.168.0.2:deny" >> /etc/hosts.deny

# Restart SSH service
systemctl restart sshd

Link for reference: https://www.cnblogs.com/xiongzaiqiren/p/sshlogin.html