From owner-freebsd-questions@FreeBSD.ORG Fri Apr 18 09:16:04 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 38766106566B for ; Fri, 18 Apr 2008 09:16:04 +0000 (UTC) (envelope-from fbsd.questions@rachie.is-a-geek.net) Received: from snoogles.rachie.is-a-geek.net (rachie.is-a-geek.net [66.230.99.27]) by mx1.freebsd.org (Postfix) with ESMTP id C58ED8FC1B for ; Fri, 18 Apr 2008 09:16:03 +0000 (UTC) (envelope-from fbsd.questions@rachie.is-a-geek.net) Received: from localhost (localhost [127.0.0.1]) by snoogles.rachie.is-a-geek.net (Postfix) with ESMTP id 7E1B21CD60; Fri, 18 Apr 2008 01:16:01 -0800 (AKDT) From: Mel To: freebsd-questions@freebsd.org Date: Fri, 18 Apr 2008 11:15:58 +0200 User-Agent: KMail/1.9.7 References: <2tng04doovnmtkr7or9kfkb596fgjfoj1c@4ax.com> In-Reply-To: <2tng04doovnmtkr7or9kfkb596fgjfoj1c@4ax.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200804181115.59498.fbsd.questions@rachie.is-a-geek.net> Cc: Gilles Subject: Re: [SSHd] Limiting access from authorized IP's X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Apr 2008 09:16:04 -0000 On Friday 18 April 2008 10:51:45 Gilles wrote: > 1. I'd like to limit connections from the Net only from specific IP's. > It seems like there are several ways to do it (/etc/hosts.allow, > AllowHosts/AllowUsers, TCP-wrapper, port-knocking, etc.). Which would > you recommend? hosts.allow == TCP wrapper. I recommend firewall, with hosts.allow backup. In the event the firewall gets disabled, hosts.allow takes over. Note though, that with setups like this, you will have to call someone to add your IP to the lists, when your IP changes or you're on a location you didn't think you'd need access from. I personally prefer sshd to be world accessible and block scans, since I consider being locked out of the machines a security risk as well... > 2. Although it's up and running, I can't find SSHd in the list of > installed apps: > > $ which sshd > > /usr/sbin/sshd It's not a port, comes with the base system. -- Mel Problem with today's modular software: they start with the modules and never get to the software part.