Restrict SSH Access on the Public Network

Overview

SSH accessibility provides users with the ability to securely access a device though an Internet connection. SSH is available on SoftLayer, an IBM company, devices on both the public and private network; however, we recommend that SSH accessibility over the public network be restricted unless it is necessary for a unique business need. By restricting SSH access on the public network, users may still access a device over the private network, but risk from unknown users accessing the device on the public network is mitigated, which ensures a more secure environment. If SSH accessibility over the public network is necessary, we recommend transferring SSH to a custom port number for an added layer of security. Follow the steps below to restrict SSH access on the public network.

Restrict SSH Access

  1. Access the Private Network over VPN.
  2. Log into the Bare Metal Server's Private IP Address through SSH.
  3. Run the following command to open the sshd_config file for edits:
    vi /etc/ssh/sshd_config
  4. Remove the hash (#) from one ListenAddress line to uncomment the line.
  5. Enter the Private IP Address for the Bare Metal Server in the uncommented ListenAddress line.
  6. Run the :wq command to save the changes and exit the file.
  7. Restart the sshd service
    service sshd restart
  8. Test the updates to SSH accessibility by attempting to access SSH over the Bare Metal Server's public IP address.
     
    If a connection... Then...
    Cannot be made Changes made to SSH accessibility were successful. No further action is required.
    Can be made Changes made to SSH accessibility were unsuccessful. Repeat the steps above to retry SSH restriction. If issues persist, please contact Support.

What Happens Next

After successfully restricting SSH access, users will be unable to access the device through SSH when they are not connecting through the private network. This action may be reversed at any time by adding the hash (#) back to the uncommented line, which returns the line to comments.