How can I setup SSH so that it is restricted to my local network?

You can restrict access to your ssh server in many ways.

IMO the most important is to use ssh keys and disable password authentication.

See the following wiki pages for details

  • https://help.ubuntu.com/community/SSH/OpenSSH/Keys
  • https://help.ubuntu.com/community/SSH/OpenSSH/Configuring#Disable_Password_Authentication

You can restrict access to a specific subnet in several ways. I will assume your ssh server is on subnet 192.168.0.0/16 with an ip address of 192.168.0.10 , adjust accordingly ;)

Router

One line of defense is to use a router. Be sure to disable UPnP and do not allow port forwarding.

SSH configuration

You can set several options in /etc/ssh/sshd_config. One is the listen address. If You set a listen address on your subnet. A private IP address is not routable over the internet.

ListenAddress 192.168.0.10

You can also use the AllowUsers

AllowUsers [email protected]/16

Somewhat related, you can also change the port

Port 1234

See: http://manpages.ubuntu.com/manpages/precise/man5/sshd_config.5.html

TCP wrapper

As outlined on the forums post, you can use TCP Wrapper . TCP wrapper uses 2 files, /etc/hosts.allow and /etc/hosts.deny

Edit /etc/hosts.allow and add your subnet

sshd : 192.168.0.

Edit /etc/hosts.deny , and deny all

ALL : ALL

See also: http://ubuntu-tutorials.com/2007/09/02/network-security-with-tcpwrappers-hostsallow-and-hostsdeny/

Firewall

Last you can firewall your server. You can use iptables, ufw, or gufw.

iptables

sudo iptables -I INPUT -p tcp --dport 22 -s 192.168.0.0/16 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 22 -j REJECT

Please do not use DROP in iptables.

ufw

sudo ufw allow from 192.168.0.0/16 to any port 22
  • UFW
  • IptablesHowTo

ufw has a graphical interface: gufw

GUFW


2020 UPDATE

Since this question, a simple approach is now possible using the Match keyword introduced in OpenSSH 6.5/6.5p1 (2014):

# Disable all auth by default
PasswordAuthentication no
PubkeyAuthentication no

[.. then, at the end of the file ..]

# Allow auth from local network
Match Address  192.168.1.*
    PubkeyAuthentication yes
    # if you want, you can even restrict to a specified user
    AllowUsers stephan

man sshd_config for more details