From owner-freebsd-questions@FreeBSD.ORG Fri Jul 23 12:39:40 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A9DD216A4CE for ; Fri, 23 Jul 2004 12:39:40 +0000 (GMT) Received: from smtp15.wxs.nl (smtp15.wxs.nl [195.121.6.54]) by mx1.FreeBSD.org (Postfix) with ESMTP id D0CC843D1F for ; Fri, 23 Jul 2004 12:39:39 +0000 (GMT) (envelope-from freebsd@akruijff.dds.nl) Received: from kruij557.speed.planet.nl (ipd50a97ba.speed.planet.nl [213.10.151.186]) by smtp15.wxs.nl (iPlanet Messaging Server 5.2 HotFix 1.25 (built Mar 3 2004)) with ESMTP id <0I1B00IYC1U22R@smtp15.wxs.nl> for freebsd-questions@freebsd.org; Fri, 23 Jul 2004 14:39:38 +0200 (CEST) Received: from alex.lan (localhost [127.0.0.1]) by kruij557.speed.planet.nl (8.12.10/8.12.10) with ESMTP id i6NCdbCe001333; Fri, 23 Jul 2004 14:39:37 +0200 Received: (from akruijff@localhost) by alex.lan (8.12.10/8.12.10/Submit) id i6NCdbbw001332; Fri, 23 Jul 2004 14:39:37 +0200 Content-return: prohibited Date: Fri, 23 Jul 2004 14:39:37 +0200 From: Alex de Kruijff In-reply-to: <3.0.6.32.20040723132012.007d8e50@mail.uk2.net> To: Graham Bentley Message-id: <20040723123936.GA795@alex.lan> MIME-version: 1.0 Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7BIT Content-disposition: inline User-Agent: Mutt/1.4.2.1i References: <20040723120102.009B116A4DF@hub.freebsd.org> <3.0.6.32.20040723132012.007d8e50@mail.uk2.net> X-Authentication-warning: alex.lan: akruijff set sender to freebsd@akruijff.dds.nl using -f cc: freebsd-questions@freebsd.org Subject: Re: Best way to limit SSH to LAN IP's only ? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Jul 2004 12:39:40 -0000 On Fri, Jul 23, 2004 at 01:20:12PM +0100, Graham Bentley wrote: > > Hi All, > > Wondered what is the best way to do this ? > > Do I have to get involved with host.allow / deny > or better to use the sshd config ? Hi, The hosts.allow states: # Wrapping sshd(8) is not normally a good idea, but if you # need to do it, here's how #sshd : .evil.cracker.example.com : deny Another way would be to implement this behavure with a firewall like ipfw or ipf. -- Alex Articles based on solutions that I use: http://www.kruijff.org/alex/FreeBSD/