Disable Network Interface for SSH


In my linux machine, I have 10 network interfaces available like eth0, eth0.67, eth0.70, eth0.97 etc,.

When i run the command nc 22 to check, i get like below:

root@icon:~# nc 22

In my system, eth0.97 is having inet as So here SSH is listening on interface eth0.97.
enter image description here

Similar to above, SSH is listening on all available 10 interfaces. How to disable or enable one particular interface to listen on SSH?

In /etc/ssh/sshd_config, below was the configuration

#Port 22
#AddressFamily any
#ListenAddress ::

But i changed as below to listen only one interface and restarted ssh.

#Port 22
#AddressFamily any
#ListenAddress ::

But after above change also, ssh is listening on all interfaces

Best Answer

I would proceed as follows:

Modify your sshd configuration:

  • Edit the sshd configuration file, typically located at /etc/ssh/sshd_config.
  • Look for the option ListenAddress. By default, it's commented out (#ListenAddress).
  • Uncomment the line and add the IP address of your interface you want to use.

Configure your Firewall if applicable

Additionally, I would restrict SSH access using the system-firewall, I assume that you use UFW, but this should work with any firewall.

  • Deny all incoming traffic using sudo ufw default deny incoming (Note, that this blocks EVERYTHING, so make sure that you won't lose your connection to the server!)
  • Explicitly allow SSH traffic on your NIC (I assume it's eno0 for this example) sudo ufw allow OpenSSH on eno0 (Instead of OpenSSH you can also use your port, e.g. 22)

You could also tinker around with /etc/host.deny and /etc/hosts.allow but I'm not sure if you can define rules on interface level.

As I saw, that you already did step 1, and it didn't help you, I'd assume, that you didn't restart ssh correctly. Note that there are two different services:

  • ssh.service
  • sshd.service

The "difference" is explained here.

Maybe, there's something messed up. When you check the status of your server, you can see, since when it is running. So make sure, that your server really got restarted. (Note that I have an Alias for status to sudo systemctl status)

╭─user@host ~
╰─$ status sshd.service
● ssh.service - OpenBSD Secure Shell server
     Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled)
     Active: active (running) since Thu 2024-04-18 11:42:44 CEST; 7s ago
       Docs: man:sshd(8)
    Process: 686 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS)
   Main PID: 687 (sshd)
      Tasks: 1 (limit: 9255)
     Memory: 1.6M
        CPU: 63ms
     CGroup: /system.slice/ssh.service
             └─687 "sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups"

You can also test your SSH configruation using sudo sshd -t -f /etc/ssh/sshd_config. If there is no error, it won't complain and give no output.


I would like to refer here to @Martin's comment. It would be smart to look in /etc/ssh/sshd_config.d/ for other configuration files that might influence the behavior.

Whether the directory is taken into account can be seen from the line Include /etc/ssh/sshd_config.d/*.conf (should be at the top) in /etc/ssh/sshd_config. (This should be the default)

Note: The path can also be different. For example, Include /etc/ssh/example/example.conf would also include this file if the line is in sshd_conf.

Related Topic