How to allow SSH connections only from my country on Cloud Firewalls?

Posted June 12, 2017 6k views

How do I set IP ranges on Digital Ocean Cloud Firewalls to allow SSH connections only from my country?

  • I use dynamic IP
  • I know that my country uses IP starting with 187, 189, 200 and 201
  • I didn’t understand what /8, /16, /24 means and how to use it

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Submit an Answer
2 answers


The Cloud Firewall service doesn’t allow you to block requests from a specific country. You can allow an IP range, though unless you’re 100% sure that your country/ISP owns all IP’s in all four ranges, by allowing access from each, you may be allowing access from a country other than your own.

Honestly, the best way to go about limiting access would be per IP. Since you have a dynamic IP, the way around this would be to setup and connect to a VPN. The VPN would provide a static IP and that would be the IP allowed to access SSH.

This would be the best route as it’s far easier to manage a whitelist then it is a large blacklist. It’s better to simply blacklist everyone other than what you whitelist, which is what most recommend when setting up a firewall.

  • Hi,
    I got your email ID in your profile on Digital Ocean community forums.
    Sent you email just now but it is bouncing back, so I am contacting you here.
    I have signed up to DO and want to setup the server.
    I have also created a Droplet, but I couldnot go ahead due to lack of knowledge.
    Can you setup my server with all the security requirements ?


Hi @edirpedro

Depending on which country in Latin America (LACNIC) you’re located in, the list is a bit more extensive than that:
And that doesn’t tell if some of the IP segments has been sold to other countries/companies.

You can add every segment to the Sources like this:

There’s a pretty good explanation of the CIDR (/8 /16 /24) on Wikipedia:
And in Spanish too:

But blocking all but non-LACNIC segments will only get you so far. You should be using SSH keys instead of passwords and probably run something like fail2ban as well.

by Justin Ellingwood
Fail2ban is a daemon that can be run on your server to dynamically block clients that fail to authenticate correctly with your services repeatedly. This can help mitigate the affect of brute force attacks and illegitimate users of your services. In this guide, we'll show demonstrate how to install and configure fail2ban to protect SSH and Nginx on an Ubuntu 14.04 server.
  • I’m using fail2ban and a SSH key, but i had this idea to allow only from my country and I decided to test. Now I know it’s not simple and not the best practice. Thanks for the explanations.