I've been reading some horror stories about people getting cracked and played with. I would really like to avoid this.

I would like to have remote SSH access to my computer, but I don't want anyone else to have it. Nothing is secure, but at least I can narrow it down.

Basically, I want no computers to have access to mine anywhere in the world, EXCEPT for computers in Uruguay and Argentina. So I guess that would involve blacklisting the world and whitelisting these two countries. I guess that this would narrow down the hacking possibilities.

Can anyone teach or link me how to do this?

Also, how do I dissallow root SSH access?

Edit: If someone can explain how to change the SSH port and what port I should put it in, that would be great too. Thanks!

To disable remote root access go into /etc/ssh/sshd_config and change PermitRootLogin to no. This will make the user have to su to get access to root. You might also want to set it up that only users in a select group can su into it. This is traditionally wheel. If using a Linux system with PAM go into /etc/pam.d/su and uncomment:

auth required pam_wheel.so group=wheel

Make sure you're in the group before you do this or at least make sure you have a root session already open in case of problems. Open up another terminal and test whether you can su into it. If not uncomment it and find out what's wrong. If you're on a distro without pam you want to look into /etc/login.defs

To only allow certain traffic I would suggest looking into tcp wrappers. The files are /etc/hosts.allow and /etc/hosts.deny. You can find some online docs telling you how to do this. You can specify specific hosts, ranges, etc. For you to block by country you would need to find out which ip ranges are registered to your country. I don't know if this is possible. However, they're are tricks if you want to limit access to select known hosts. If you have a dynamic IP look into no-ip.com which lets you use a dns name with a dynamic ip. You can also set up a VPN which would give you a private network.


To change the SSH port this is listed in /etc/sshd_config as well. Change the port and restart it with

/etc/init.d/ssh restart

Awesome information! Thank you very much. Ill investigate and see how can I block countries. Its probably easier not to block countries, but only to allow a few of them.

I was also wondering if there was something similar to this:

if nslookup=*.uy, *.ar
then allow access
else block

I am aware that this is not programming language, I just needed a quick way to express myself.

I'm really not sure. I haven't looked into it to much beyond my own needs. The one thing is users who might connect to your system probably won't have a dns to begin with so this might not work well.