From owner-freebsd-questions@FreeBSD.ORG Fri Jul 23 12:54:38 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DBABA16A4CE for ; Fri, 23 Jul 2004 12:54:38 +0000 (GMT) Received: from lorna.circlesquared.com (host217-45-219-85.in-addr.btopenworld.com [217.45.219.85]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0EAF343D5F for ; Fri, 23 Jul 2004 12:54:33 +0000 (GMT) (envelope-from peter@circlesquared.com) Received: from circlesquared.com (localhost.circlesquared.com [127.0.0.1]) i6NCsM3f004013; Fri, 23 Jul 2004 13:54:22 +0100 (BST) (envelope-from peter@circlesquared.com) Message-ID: <41010A7E.8080301@circlesquared.com> Date: Fri, 23 Jul 2004 13:54:22 +0100 From: Peter Risdon User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.6) Gecko/20040611 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Alex de Kruijff References: <20040723120102.009B116A4DF@hub.freebsd.org> <3.0.6.32.20040723132012.007d8e50@mail.uk2.net> <20040723123936.GA795@alex.lan> In-Reply-To: <20040723123936.GA795@alex.lan> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: Graham Bentley cc: freebsd-questions@freebsd.org Subject: Re: Best way to limit SSH to LAN IP's only ? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Jul 2004 12:54:39 -0000 Alex de Kruijff wrote: > On Fri, Jul 23, 2004 at 01:20:12PM +0100, Graham Bentley wrote: > >>Hi All, >> >>Wondered what is the best way to do this ? >> >>Do I have to get involved with host.allow / deny >>or better to use the sshd config ? > > > Hi, > > The hosts.allow states: > # Wrapping sshd(8) is not normally a good idea, but if you > # need to do it, here's how > #sshd : .evil.cracker.example.com : deny > > Another way would be to implement this behavure with a firewall like > ipfw or ipf. > /etc/ssh/sshd_config is also an option. From man sshd_config: ListenAddress Specifies the local addresses sshd should listen on. The follow- ing forms may be used: ListenAddress host|IPv4_addr|IPv6_addr ListenAddress host|IPv4_addr:port ListenAddress [host|IPv6_addr]:port If port is not specified, sshd will listen on the address and all prior Port options specified. The default is to listen on all local addresses. Multiple ListenAddress options are permitted. Additionally, any Port options must precede this option for non port qualified addresses. Peter.