Date: Sun, 10 Apr 2005 09:34:26 -0500 From: Chris <racerx@makeworld.com> To: freebsd-questions@freebsd.org Subject: Re: How can I log every login via telnet? Message-ID: <42593972.1040805@makeworld.com> In-Reply-To: <1878091587.20050410102441@wanadoo.fr> References: <1492434941.20050407204225@wanadoo.fr> <16981.34396.918396.208453@szamoca.krvarr.bc.ca> <856341966.20050408053245@wanadoo.fr> <16984.42254.480019.606112@szamoca.krvarr.bc.ca> <1878091587.20050410102441@wanadoo.fr>
index | next in thread | previous in thread | raw e-mail
Anthony Atkielski wrote:
> Sandy Rutherford writes:
>
>
>>See login.access(5) and login.conf(5). Both provide this
>>functionality.
>
>
> I've tried this and I've obtained weird results.
>
> Supposedly login stops at the first match in the login.access file. So
> I used this:
>
> +:ALL:console
> +:ALL:LOCAL
> +:xxx yyy:ALL EXCEPT 216.134.77.112 161.13.67.41
> -:ALL:ALL
>
> The idea is to prohibit any logins from anywhere except the LAN and
> console for all users except xxx and yyy (and even for those two logins
> are not accepted from two specific IP addresses). But as soon as I add
> the -:ALL:ALL at the end, logins are disallowed for everyone except xxx
> and yyy, even on the LAN, and even with ssh. I'm perplexed.
>
Anthony,
If you are using ipfw, you could do something like this:
# Allow in only a few Telnet, SFTP, SSH, and SCP from public Internet
${fwcmd} add 090 pass log tcp from 161.13.67.41,216.134.77.112 to ${ip}
23 setup limit src-addr 5
What this does is allow the above mentioned in from the above mentioned
IP's - THEN, only allows a connection of 5.
Something to think about if you run the firewall. To the rest of the
outside, users will get dead space if they try to telnet in.
--
Best regards,
Chris
If opportunity came disguised as temptation,
one knock would be enough.
help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?42593972.1040805>