On Tue, Jul 27, 2004 at 12:53:58PM -0400, Robert Locke wrote: > Add the following to your /etc/hosts.deny file: > sshd : 211.182.241. > (note the trailing dot - it is needed) > - or - > sshd : 211.182.241.0/255.255.255.0 I find the tcp wrappers configuration to be more straightforward (and more secure) if you change the config to be 'fail-safe' instead of 'fail-open'. In other words, put: ALL:ALL in hosts.deny, so the default is to block *everything*. Then, explicitly turn on the services you want for the source addresses you want: sshd: 192.168.1. <- or whatever your real allowed subnets are or you can do sshd: ALL EXCEPT 211.182.241. This way, you never need to track back and forth between hosts.allow and hosts.deny, or think about what has precedence, or anything. Simply leave only ALL:ALL in hosts.deny, and manage everything in one place. > > Stay away from user level stuff in the hosts.allow and hosts.deny > files. They should really only be used for host level verification. > > You may or may not need to restart sshd using the following: > > service sshd restart > > This will have sshd unconditionally drop anything coming from the one > network. > > --Rob > > > -- > fedora-list mailing list > fedora-list@xxxxxxxxxx > To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list > -- Matthew Miller mattdm@xxxxxxxxxx <http://www.mattdm.org/> Boston University Linux ------> <http://linux.bu.edu/>
