How to disable SSH access from everywhere except for certain IPs in CentOS 7

Here’s how to do it:

firewall-cmd --zone=internal --add-service=ssh --permanent
firewall-cmd --zone=internal --add-source= --permanent
firewall-cmd --zone=internal --add-source= --permanent
firewall-cmd --zone=public --remove-service=ssh --permanent

This declares an internal zone with two IPs (add as many or as few as you like) and subsequently removes the SSH service from the public zone altogether. As a result, any other IP gets a message such as “Connection refused” when trying to connect via SSH.

The “–permanent” switch saves the changes. Remove it for testing or if you don’t want this change to be permanent.

Jay is founder of WP Hosting, a boutique style managed WordPress hosting and support service. He has been working with Plesk since version 9 and is a qualified Parallels Automation Professional. In his spare time he likes to develop iOS apps and WordPress plugins, or drawing on tablet devices. He blogs about his coding journey at and

You can leave a comment on my original post.