Re: ip access control | sshd_config

• Previous message: Giuseppe Anzalone: "ssh message"
• In reply to: Michael Heiming: "Re: ip access control | sshd_config"
• Next in thread: Michael Heiming: "Re: ip access control | sshd_config"
• Reply: Michael Heiming: "Re: ip access control | sshd_config"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sun, 27 Mar 2005 13:07:29 -0500

On Sat, 26 Mar 2005 00:48:51 +0100, Michael Heiming
<michael+USENET@www.heiming.de> wrote:

>In comp.os.linux.security cooch17@nospamverizon.net:
>> Greetings -
>
>> While I can use AllowUsers in sshd_config to control which users with
>> valid accounts can access one of my boxes via ssh, I'm wondering if
>> there is a way to specify a list of ip addresses which are allowed to
>> access sshd? I've searched around a bit, but didn't find anything that
>> looked like what I've described.
>
>Use/compile a sshd version with tcp_wrapper support enabled and
>try 'man 5 hosts_access' for setup.
>
>Alternatively or/and in addition fire up iptables and allow access
>to port 22 only to the system you want.
>

That does the trick - plus not allowing root access to sshd. Most of
the time, the script kiddies are trying to burrow in by guessing a
username on the system. root is about the only one you know is on any
system, so no t allowing root to access sshd minimizes that problem.

Question though -

if I restrict access to a certain ip in access.allow, then what
advantage is there in also setting up what looks to be essentially the
same thing in iptables? I'm embarassed to admit I've always puzzled
over things such as this...

Thanks...

• Previous message: Giuseppe Anzalone: "ssh message"
• In reply to: Michael Heiming: "Re: ip access control | sshd_config"
• Next in thread: Michael Heiming: "Re: ip access control | sshd_config"
• Reply: Michael Heiming: "Re: ip access control | sshd_config"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]