Yes, I couldn't agree more - the 'default permit' approach is evil and
stupid. However, when requiring ssh access from sites with dynamic ip
addresses it's a good first line of defence.

Cheers,

Steve

On Fri, September 16, 2005 12:08 am, Volker Kuhlmann wrote:
>> ...after a bit more investigation, here's my /etc/hosts.deny, based on
>> the
>> 25,000 attempts in the last month!
>
> Wrong approach. You do it the other way round. You work out which IP
> numbers need to connect to your ssh server (usually very few), the rest
> goes to /dev/null. To be really anal, restrict which users are allowed
> to use sshd, the rest gets a password failure until the sky comes down.
> Both can be configured within /etc/ssh/sshd_config, though using
> tcpwrappers as a first shield might be better. Even better, use your
> firewall.
>
> Volker
>
> --
> Volker Kuhlmann                       is possibly list0570 with the domain in 
> header
> http://volker.dnsalias.net/           Please do not CC list postings to me.
>


-- 
Windows: Where do you want to go today?
MacOS: Where do you want to be tomorrow?
Linux: Are you coming or what?

Reply via email to