Limiting Incoming SSH Connections on Mac

  • Faculty & Staff

SSH, or the Secure SHell, is an important tool for remote access and administration on a Mac computer.  Unfortunately, SSH is a common target for malicious attackers.  Examination of network traffic shows that attackers are constantly scanning our address space looking for SSH servers, then trying to guess (or brute force) username and password combinations.  This is a scary situation, but there are steps you can take to protect your machine. 

If you do use SSH think carefully about where you access your machine from.  Most people only access their machine from on campus or from their home ISP.  If this is the case then there is no reason to allow people in Brazil to attempt to log into your machine.  Instead, you can modify your SSH daemon (or server) configuration to only allow connections from networks that you know you will you.  This allows you to maintain access to your machine, but deny access to networks that you will never utilize.

In the following example we will limit access to our SSH server to only attempts from on campus, and users of Verizon.  To do this you'll need to modify your SSH configuration, which is a text file found at /etc/sshd_config.  You will need administrative privileges to alter this file.  Add the following lines to your /etc/sshd_config file to limit connections to only those originating on campus and Verizon:

AllowUsers*@*.upenn.edu
AllowUsers *@*.verizon.net

These lines tell the SSH server to only allow users coming from the Upenn.edu and Verizon.net address space.  All other connections will be denied.  To be even more cautious you can limit the user accounts that may be used to access the machine.  This is especially important if you have separate administrative and non-administrative accounts.

AllowUsers Stacey@*.upenn.edu

This will only allow the user named "Stacye" (in our example a non-admin user account) to access the machine, and only from the Upenn.edu address space.