Re: How can I block IP address range with sshd_config

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Jul 27, 2004 at 12:53:58PM -0400, Robert Locke wrote:
> Add the following to your /etc/hosts.deny file:
> sshd : 211.182.241.
> (note the trailing dot - it is needed)
> - or -
> sshd : 211.182.241.0/255.255.255.0

I find the tcp wrappers configuration to be more straightforward (and more
secure) if you change the config to be 'fail-safe' instead of 'fail-open'.
In other words, put:

  ALL:ALL

in hosts.deny, so the default is to block *everything*. Then, explicitly
turn on the services you want for the source addresses you want:

  sshd: 192.168.1.      <- or whatever your real allowed subnets are

or you can do

  sshd: ALL EXCEPT 211.182.241.


This way, you never need to track back and forth between hosts.allow and
hosts.deny, or think about what has precedence, or anything. Simply leave
only ALL:ALL in hosts.deny, and manage everything in one place.





> 
> Stay away from user level stuff in the hosts.allow and hosts.deny
> files.  They should really only be used for host level verification.
> 
> You may or may not need to restart sshd using the following:
> 
> service sshd restart
> 
> This will have sshd unconditionally drop anything coming from the one
> network.
> 
> --Rob
> 
> 
> -- 
> fedora-list mailing list
> fedora-list@xxxxxxxxxx
> To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
> 

-- 
Matthew Miller           mattdm@xxxxxxxxxx        <http://www.mattdm.org/>
Boston University Linux      ------>                <http://linux.bu.edu/>



[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux