Date: Fri, 18 Apr 2008 08:43:11 -0400 From: Jon Radel <jon@radel.com> To: Gilles <gilles.ganault@free.fr> Cc: freebsd-questions@freebsd.org Subject: Re: [SSHd] Limiting access from authorized IP's Message-ID: <4808975F.3030704@radel.com> In-Reply-To: <200804181115.59498.fbsd.questions@rachie.is-a-geek.net> References: <2tng04doovnmtkr7or9kfkb596fgjfoj1c@4ax.com> <200804181115.59498.fbsd.questions@rachie.is-a-geek.net>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --]
Mel wrote:
> On Friday 18 April 2008 10:51:45 Gilles wrote:
>
>> 1. I'd like to limit connections from the Net only from specific IP's.
>> It seems like there are several ways to do it (/etc/hosts.allow,
>> AllowHosts/AllowUsers, TCP-wrapper, port-knocking, etc.). Which would
>> you recommend?
>
> hosts.allow == TCP wrapper.
> I recommend firewall, with hosts.allow backup. In the event the firewall gets
> disabled, hosts.allow takes over.
> Note though, that with setups like this, you will have to call someone to add
> your IP to the lists, when your IP changes or you're on a location you didn't
> think you'd need access from.
> I personally prefer sshd to be world accessible and block scans, since I
> consider being locked out of the machines a security risk as well...
>
Some additional thoughts: If you want to control which users can
connect from which IP addresses, use the AllowUsers, etc. statements in
sshd_config. That's the big advantage of doing it at that level. If
you're not going to get that granular, I'd stick with the advice others
have already given. Also, some of us are convinced that we further
reduce our risk from scanning by turning off password access and forcing
the use of keys.
--Jon Radel
[-- Attachment #2 --]
0 *H
01
0 +�0 *H
�� 100\mtv0
*H
�0b1
0 UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA0
080324165921Z
090324165921Z0^10
URadel10U*
Jon Thomas10UJon Thomas Radel1
0 *H
jon@radel.com0"0
*H
��0
�t,P
p#
٬q_2=L-^m
>z3ʟV![([ AoE}ϛ3/6?cWx(/)'$6sTl<*i'=uox
Mbt
rdtnxud1R6T>zU0FZ,vN9NP{>qE`^P; *Wg/jN*OVՠQMB(=:
�*0(0U
0
jon@radel.com0
U
0�0
*H
��h!oܨ[А!fN#[Z
b$3?x&$~Ħ9}`MX[It}/bXZajgxɥ' 2NrtWAr sFި'^@mDVw\)00\mtv0
*H
�0b1
0 UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA0
080324165921Z
090324165921Z0^10
URadel10U*
Jon Thomas10UJon Thomas Radel1
0 *H
jon@radel.com0"0
*H
��0
�t,P
p#
٬q_2=L-^m
>z3ʟV![([ AoE}ϛ3/6?cWx(/)'$6sTl<*i'=uox
Mbt
rdtnxud1R6T>zU0FZ,vN9NP{>qE`^P; *Wg/jN*OVՠQMB(=:
�*0(0U
0
jon@radel.com0
U
0�0
*H
��h!oܨ[А!fN#[Z
b$3?x&$~Ħ9}`MX[It}/bXZajgxɥ' 2NrtWAr sFި'^@mDVw\)0?0
0
*H
�01
0 UZA10U
Western Cape10U Cape Town10U
Thawte Consulting1(0&U
Certification Services Division1$0"UThawte Personal Freemail CA1+0) *H
personal-freemail@thawte.com0
030717000000Z
130716235959Z0b1
0 UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA00
*H
��0�Ħ<UsUNʙZ
hup
[v
:aQP
0cZ,p+Z?qV˯<
6$*+w=+>@dקe*TH<a@
dr`�00U
0�0CU
<0:08642http://crl.thawte.com/ThawtePersonalFreemailCA.crl0
U
0)U
"0
0
10UPrivateLabel2-1380
*H
��HP
.
fgCL!6 -6/
P p<ab:~�
t%Pb'qW%ݩ9 Oe_N4[5MwV!x!5$
F]_eO1d0`0v0b1
0 UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CAmtv0 +�0 *H
1
*H
0
*H
1
080418124312Z0# *H
1zⳘJI0R *H
1E0C0
*H
0*H
�0
*H
@0+0
*H
(0 +71x0v0b1
0 UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CAmtv0
*H
1xv0b1
0 UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CAmtv0
*H
��0鎋"٠~pTY:ЉzU@:>FExX,
:~-sDH4P l³LЄDLZ%`XQ6l~aPfc= t+~k
"QSn%=XF
ZDii;qRnDv(Znփv;qnFiġ
Np?CIԴf`@
<eIs'VFehx\������
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4808975F.3030704>