[SSHd] Limiting access from authorized IP's
Simon Gao
gao at schrodinger.com
Mon Apr 21 18:51:32 UTC 2008
cpghost wrote:
> On Fri, 18 Apr 2008 13:46:48 -0500
> Paul Schmehl <pauls at utdallas.edu> wrote:
>
>
>> Let me clarify. When I use the term "host", I'm referring to what
>> many would call a "personal workstation" or "personal computer". If
>> you have more than one person who has shell access to a computer,
>> then you no longer have a host. You have a server. Sure, you may not
>> think of it that way, but that's what it is.
>>
>> Servers are a completely different ballgame, and the decisions you
>> make regarding protecting them have everything to do with who has
>> access to what. The servers that I referenced in my post have one
>> person with root access - me
>> - and one user - the owners. No one else has access. So, it's a
>> great deal easier for me to lock down the boxes than it is, for
>> example, here at work, where *many* people have shell access and more
>> than one have root access through sudo or even su.
>>
>
> Sorry for bikeshedding here, since it's just a matter of terminology,
> but...
>
> "Hosts" used to be multi-user machines for a long time, and actually
> still are. Most RFCs, including newer ones, refer to "hosts" and mean
> "nodes" on the net. They don't care whether the hosts are workstations
> used by a single or few user(s), or big multi-user machines with
> hundreds of shell accounts.
>
> "Server" is merely the role a program assumes when it waits passively
> for requests from "clients". "Servers" run on "hosts", regardless
> of the number of users on those hosts (ranging from 0 to very high).
>
> Obviously, the security implications vary considerably if you have
> to host many user accounts, esp. on hosts used by mission critical
> server programs. ;)
>
> And of course, the bikeshed has to be painted... red! :)
>
> Regards,
> -cpghost.
>
>
Try this:
AllowUsers *@127.0.0.1 *@192.168.1.20 joe@<home ip>
Simon
More information about the freebsd-questions
mailing list