On Friday 23 January 2009 22:22:17 Paul Hartman wrote: > I essentially want it to work the other way around. Deny access by > default unless there is an allow rule. I don't think I can do that, > though. If I put ALL: ALL or sshd: ALL in the hosts.deny file, it will > deny ME access to my own machine. I don't want that. Since I don't > have a specific IP i will connect from, I can't allow any specific IP > (or else I'd be doing it that way already). > > How can I accomplish this?: > > Allow all ssh connections unless they are in hosts.deny > Deny all other connections unless they are in hosts.allow
Have you looked at port knocking? It's a complete ball ache to set up and use, far less useful than it seems, but it might also solve your conundrum. A friend once mentioned on a forum that he'd managed to set up static libwrap rules in hosts.allow|deny for addresses that don't change and additionally port-knocking for himself to open up port 22 for a few minutes. I don't recall how he did this, only that he claimed to have done it. -- alan dot mckinnon at gmail dot com
