How to Manage IP Access for SSH and SFTP Connections

In this KB, we will explain how you can restrict SSH and SFTP access to specific IP addresses on the Cloudways Platform.

Cloudways Product avatar
Written by Cloudways Product
Updated over a week ago

Table of Contents

In this article, we will explain how you can restrict SSH and SFTP access to specific IP addresses and if you are accidentally blocked (cannot connect via SSH or SFTP to your Cloudways server), then how you can unblock yourself.

How to Limit SSH and SFTP Access

Secure Remote Connections — Navigate to Security Settings

Log in to your Cloudways Platform using your email address and password.

  1. From the top menu bar, open Servers.

  2. Then, choose your server.

    Classic Interface

    New Interface

  3. Select Security.

    Classic Interface

    New Interface

Secure Remote Connections — Managing Security Settings

Here, you will find two options:

  • Allow all IP addresses except those blocked by the Cloudways security system.

  • Block all IP addresses except those on the Whitelist. (Recommended)

The first option means that all the IP addresses can connect to your server via SSH and SFTP, except those IP addresses blocked by the Cloudways Security System. This option is selected by default. If not, you can choose this option and hit Save Changes.

Classic Interface

New Interface

A more drastic option, yet a more secure option is to use the ‘Block all IP addresses, except those on the Whitelist’ option, which means that all the IP addresses are blocked from creating SSH and SFTP connections except those IP addresses which are whitelisted.

If you have chosen this option, you will need to whitelist your IP address by adding it to the “Whitelist IP” list.

As a prerequisite, you will need to know which IP address to whitelist. Keep in mind that your Internet Service Provider (ISP) might have allocated you with either a dynamic IP or a static IP. A static IP will not change unless required by the provider or yourself, while a dynamic IP will normally rotate to a new one at an interval set by the ISP. Whitelisting a dynamic IP will be difficult as it will carry on changing every time.

What is my IP Address?

Meanwhile, we need to resolve what our current IP address is. We can use a simple google search for this.

  1. Go to google.com.

  2. Search for “what is my IP”.

  3. Your search results will include a number composed of 4 different numbers separated by dots, such as ‘169.254.61.23’ – that’s your IP, which will need to be whitelisted.

Whitelisting an IP Address

  1. Under Security, Choose “Block all IP addresses, except those on the Whitelist.

  2. Type the IP address you want to whitelist and click Add.

  3. Finally, click Save Changes.

Tips

  • There is no limit on the number of IPs that can be whitelisted.

  • Although not recommended, you can also add IP subnet(s) to whitelist a range of IP addresses (e.g., 169.254.0.0/16 or 169.254.1.0/24).

  • If you have a dynamic IP address, you might want to search for a VPN service that can offer you a static IP, also keep in mind that anyone making use of such static/external IP will be able to request an SSH/SFTP connection to your server; hence you still need to make sure your access credentials are secure and kept private.

Classic Interface

New Interface

That’s it! You have learned how to restrict the SSH and SFTP access only to trusted IPs. Please note that the above configurations will only affect your selected server; other servers will remain unaffected.

Preventing Unauthorized Access

We also recommend taking the following measures to prevent unwanted logins via SSH and SFTP.

  • Set a strong master or application password for remote logins as your first defense. Also, many security geeks suggest changing passwords frequently.

  • Set up SSH Keys to securely log in. SSH keys are much harder to decipher than conventional passwords.

  • If you are a WordPress user, you can enable Bot Protection to enhance your WordPress application’s security.

That’s it! We hope this article was helpful. If you need any help, then feel free to search your query on Cloudways Support Center or contact us via chat (Need a Hand > Send us a Message). Alternatively, you can also create a support ticket.

FAQs

My security settings are not functioning correctly; what could be the problem?

The ability to allow or block IP addresses is only available for the latest builds, such as Debian 8, Debian 9, Debian 10, and Debian 11 servers. Anyone running older builds such as Debian 7 is encouraged to clone their setup to a new server, which will automatically upgrade you to the latest build.

How can I check which version of Debian my server is running?

The best way to verify this is by connecting to your server via SSH and executing the following command:

cat /etc/os-release

Did this answer your question?