[SSHd] Limiting access from authorized IP's

Jon Radel jon at radel.com
Fri Apr 18 12:43:25 UTC 2008

Mel wrote:
> On Friday 18 April 2008 10:51:45 Gilles wrote:
>> 1. I'd like to limit connections from the Net only from specific IP's.
>> It seems like there are several ways to do it (/etc/hosts.allow,
>> AllowHosts/AllowUsers, TCP-wrapper, port-knocking, etc.). Which would
>> you recommend?
> hosts.allow == TCP wrapper.
> I recommend firewall, with hosts.allow backup. In the event the firewall gets 
> disabled, hosts.allow takes over.
> Note though, that with setups like this, you will have to call someone to add 
> your IP to the lists, when your IP changes or you're on a location you didn't 
> think you'd need access from.
> I personally prefer sshd to be world accessible and block scans, since I 
> consider being locked out of the machines a security risk as well...

Some additional thoughts:  If you want to control which users can
connect from which IP addresses, use the AllowUsers, etc. statements in
sshd_config.  That's the big advantage of doing it at that level.  If
you're not going to get that granular, I'd stick with the advice others
have already given. Also, some of us are convinced that we further
reduce our risk from scanning by turning off password access and forcing
the use of keys.

--Jon Radel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3283 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20080418/98304d7b/smime.bin

More information about the freebsd-questions mailing list