How to allow SSH connections only from my country on Cloud Firewalls?

Posted June 12, 2017 4.4k views

How do I set IP ranges on Digital Ocean Cloud Firewalls to allow SSH connections only from my country?

  • I use dynamic IP
  • I know that my country uses IP starting with 187, 189, 200 and 201
  • I didn’t understand what /8, /16, /24 means and how to use it

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

2 answers


The Cloud Firewall service doesn’t allow you to block requests from a specific country. You can allow an IP range, though unless you’re 100% sure that your country/ISP owns all IP’s in all four ranges, by allowing access from each, you may be allowing access from a country other than your own.

Honestly, the best way to go about limiting access would be per IP. Since you have a dynamic IP, the way around this would be to setup and connect to a VPN. The VPN would provide a static IP and that would be the IP allowed to access SSH.

This would be the best route as it’s far easier to manage a whitelist then it is a large blacklist. It’s better to simply blacklist everyone other than what you whitelist, which is what most recommend when setting up a firewall.

  • Hi,
    I got your email ID in your profile on Digital Ocean community forums.
    Sent you email just now but it is bouncing back, so I am contacting you here.
    I have signed up to DO and want to setup the server.
    I have also created a Droplet, but I couldnot go ahead due to lack of knowledge.
    Can you setup my server with all the security requirements ?


Hi @edirpedro

Depending on which country in Latin America (LACNIC) you’re located in, the list is a bit more extensive than that:
And that doesn’t tell if some of the IP segments has been sold to other countries/companies.

You can add every segment to the Sources like this:

There’s a pretty good explanation of the CIDR (/8 /16 /24) on Wikipedia:
And in Spanish too:

But blocking all but non-LACNIC segments will only get you so far. You should be using SSH keys instead of passwords and probably run something like fail2ban as well.

by Etel Sverdlov
SSH keys provide a more secure way of logging into a virtual private server with SSH than using a password alone. With SSH keys, users can log into a server without a password. This tutorial explains how to generate, use, and upload an SSH Key Pair.
  • I’m using fail2ban and a SSH key, but i had this idea to allow only from my country and I decided to test. Now I know it’s not simple and not the best practice. Thanks for the explanations.

Submit an Answer