Hello [EMAIL PROTECTED] (<[EMAIL PROTECTED]>) wrote: > Mark Maas <[EMAIL PROTECTED]> wrote on 16.11.2004 08:50:57: > >> I'm trying to restrict access to my ssh server from the outside to >> allow only two IP adresses and the internal lan ofcourse. >> And deny access to everyone else. >> >> People are trying the guess a username and password tactic a little >> too much to my liking...
You could additionally disable password logins and use keys instead, at least for root (or better, disable root logins completely), and make sure that the user names commonly scanned for are not available (guest?). >> Do I use hosts.deny, hosts.allow for this? If so, which one takes >> precedence? > > I use iptables, so that I do not have to worry about such things. > just allow the two addresses and drop all others... > > If you like to use hosts.deny and hosts.allow, I believe that > hosts.deny overrules hosts.allow. This is at least, how I experienced > the two configs. According to `man hosts_access`, first hosts.allow is checked. If a matching entry is found, the check is stopped, and access will be granted. If not, hosts.deny will be checked. If no matching entry is found in hosts.deny, access will be allowed. If a matching entry is found in hosts.deny, access will be denied. That means it should be possible to list the allowed IPs and networks in hosts.allow, and disallow access from everywhere in hosts.deny. best regards Andreas Jansse -- Andreas Janssen <[EMAIL PROTECTED]> PGP-Key-ID: 0xDC801674 ICQ #17079270 Registered Linux User #267976 http://www.andreas-janssen.de/debian-tipps-sarge.html -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
