Restrict SSH Access Using tcpd (TCPWrapper) on Linux

To achieve this, the /etc/hosts.deny file would look like this:

sshd: ALL

To allow some IP addresses to connect /etc/hosts.allow , the file would simply look like this:

sshd: 10.10.10.10, 1.2.3.4, 21.21.21.21

TCP Wrappers works nicely, even if you change the standard SSH port (it’s usually TCP port 22) to port 2222, for example, to stop port scans filling up your logs. Without TCP Wrappers enabled, scans might run dictionary attacks on your server where password combinations are guessed by one of many automated attack methods.

As well as being able to take individual IP addresses, hosts.allow can happily handle the CIDR notation of classless IP address ranges, such as:

sshd: 10.10.10.0/24, 1.2.3.4/32, 21.21.21.0/19