On Fri, 17 Jun 2005, Mitja Podreka wrote: > I have ADSL connection without fixed IP, can I then set some kind of IP net > mask to restrict access from other IP?
Yes you can. SSh can do this itself (if compiled against TCP Wrappers), or better you can get a firewall to do it. It is generally accepted that if you block password access and use PKI authentication only then further restricting access based on IP is not necessary. OTOH people do do this - We have one client who wanted us to do this with some of their externally visible systems. Here are a couple of things to consider: 1. The principals of least privilege and security in depth both endorse restricting the IP if you can. 2. If there is a remote exploit in sshd or something it relies on (like a library) you can rest easier if you know you've restricted access via IP. Rob -- Robert Brockway B.Sc. Senior Technical Consultant, OpenTrend Solutions Ltd. Ph: +1-416-669-3073 Email: [EMAIL PROTECTED] http://www.opentrend.net OpenTrend Solutions: Reliable, secure solutions to real world problems. Contributing Member of Software in the Public Interest http://www.spi-inc.org -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
