Yes, I couldn't agree more - the 'default permit' approach is evil and stupid. However, when requiring ssh access from sites with dynamic ip addresses it's a good first line of defence.
Cheers, Steve On Fri, September 16, 2005 12:08 am, Volker Kuhlmann wrote: >> ...after a bit more investigation, here's my /etc/hosts.deny, based on >> the >> 25,000 attempts in the last month! > > Wrong approach. You do it the other way round. You work out which IP > numbers need to connect to your ssh server (usually very few), the rest > goes to /dev/null. To be really anal, restrict which users are allowed > to use sshd, the rest gets a password failure until the sky comes down. > Both can be configured within /etc/ssh/sshd_config, though using > tcpwrappers as a first shield might be better. Even better, use your > firewall. > > Volker > > -- > Volker Kuhlmann is possibly list0570 with the domain in > header > http://volker.dnsalias.net/ Please do not CC list postings to me. > -- Windows: Where do you want to go today? MacOS: Where do you want to be tomorrow? Linux: Are you coming or what?
