From owner-freebsd-questions@FreeBSD.ORG Mon Apr 21 18:51:32 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 78278106566B for ; Mon, 21 Apr 2008 18:51:32 +0000 (UTC) (envelope-from gao@schrodinger.com) Received: from schrodinger.com (thermidore.schrodinger.com [192.156.98.99]) by mx1.freebsd.org (Postfix) with ESMTP id 42DE98FC1F for ; Mon, 21 Apr 2008 18:51:31 +0000 (UTC) (envelope-from gao@schrodinger.com) Received: from [192.156.98.12] (ithi.schrodinger.com [192.156.98.12]) by schrodinger.com (8.13.4/8.13.4) with ESMTP id m3LIpKL1033029; Mon, 21 Apr 2008 11:51:21 -0700 (PDT) (envelope-from gao@schrodinger.com) Message-ID: <480CE228.5000803@schrodinger.com> Date: Mon, 21 Apr 2008 11:51:20 -0700 From: Simon Gao User-Agent: Thunderbird 2.0.0.12 (X11/20080229) MIME-Version: 1.0 To: cpghost References: <2tng04doovnmtkr7or9kfkb596fgjfoj1c@4ax.com> <20080418191449.212f43d3.gary@pattersonsoftware.com> <1EBA9459C137D287EEE2560D@utd65257.utdallas.edu> <4808D7F4.8000709@radel.com> <20080418173443.40f99867@epia-2.farid-hajji.net> In-Reply-To: <20080418173443.40f99867@epia-2.farid-hajji.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-3.0 (schrodinger.com [192.156.98.99]); Mon, 21 Apr 2008 11:51:21 -0700 (PDT) Cc: Paul Schmehl , freebsd-questions@freebsd.org Subject: Re: [SSHd] Limiting access from authorized IP's X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Apr 2008 18:51:32 -0000 cpghost wrote: > On Fri, 18 Apr 2008 13:46:48 -0500 > Paul Schmehl wrote: > > >> Let me clarify. When I use the term "host", I'm referring to what >> many would call a "personal workstation" or "personal computer". If >> you have more than one person who has shell access to a computer, >> then you no longer have a host. You have a server. Sure, you may not >> think of it that way, but that's what it is. >> >> Servers are a completely different ballgame, and the decisions you >> make regarding protecting them have everything to do with who has >> access to what. The servers that I referenced in my post have one >> person with root access - me >> - and one user - the owners. No one else has access. So, it's a >> great deal easier for me to lock down the boxes than it is, for >> example, here at work, where *many* people have shell access and more >> than one have root access through sudo or even su. >> > > Sorry for bikeshedding here, since it's just a matter of terminology, > but... > > "Hosts" used to be multi-user machines for a long time, and actually > still are. Most RFCs, including newer ones, refer to "hosts" and mean > "nodes" on the net. They don't care whether the hosts are workstations > used by a single or few user(s), or big multi-user machines with > hundreds of shell accounts. > > "Server" is merely the role a program assumes when it waits passively > for requests from "clients". "Servers" run on "hosts", regardless > of the number of users on those hosts (ranging from 0 to very high). > > Obviously, the security implications vary considerably if you have > to host many user accounts, esp. on hosts used by mission critical > server programs. ;) > > And of course, the bikeshed has to be painted... red! :) > > Regards, > -cpghost. > > Try this: AllowUsers *@127.0.0.1 *@192.168.1.20 joe@ Simon