How can I deny all IPv6 ssh connection

Question

I want to disable all ssh connection from both IPv4 and IPv6 except certain IPs.

I can set /etc/hosts.deny to deny all IPv4 ssh connection:

sshd: ALL

How to apply to IPv6?

I tried below, and fail:

sshd: [*]

and

sshd: [ALL]

My sshd server version: PKIX-SSH 12.1, OpenSSH_8.0p1, OpenSSL 1.0.2g-fips 1 Mar 2016

And PKIX is configured with --with-tcp-wrappers

@ctrl-alt-delor, can you tell me more information? I don't understand. — Yu-Ting Chen, Jul 29 '19 at 06:56
I have also done it with `ufw` or `gufw` (the graphical front end of `ufw`). For me I tell it to block everything, except `ssh`, from IP-address xxx. But you can tell it to block everything. What OS are you on? — ctrl-alt-delor, Jul 29 '19 at 06:59
I need to apply this setting to embedded system which doesn't have `ufw` to use — Yu-Ting Chen, Jul 29 '19 at 07:01

score 1 · Answer 1 · answered Jul 29 '19 at 07:27

1

If you want to "block" all IPv6 connections to your device you can simply not listen on IPv6.

So you can configure sshd_config to listen only on IPv4. ListenAddress IPv4:Port, example: ListenAddress 192.168.2.1:22

or

Define a IPv4 only hostname for your hosts

/etc/hosts
192.168.2.1 myhost
/etc/ssh/sshd_config
ListenAddress myhost:22

answered Jul 29 '19 at 07:27

BitsOfNix

What I want to do is to disable all IPv6, but I want to let user to add white list. – Yu-Ting Chen Jul 29 '19 at 07:28
that does not make sense. If you want to disable IPv6 across the system then edit the question accordingly. I do not understand what you mean by "let user to add to white list". Once ipv6 is disbale system wide, you cannot use IPv6 any longer. This is valid for both incoming and outgoing connections. – BitsOfNix Jul 29 '19 at 07:40

1 Answers1