On Wed, 2004-07-28 at 10:23, Matthew Miller wrote: > On Tue, Jul 27, 2004 at 12:53:58PM -0400, Robert Locke wrote: > > Add the following to your /etc/hosts.deny file: > > sshd : 211.182.241. > > (note the trailing dot - it is needed) > > - or - > > sshd : 211.182.241.0/255.255.255.0 > > I find the tcp wrappers configuration to be more straightforward (and more > secure) if you change the config to be 'fail-safe' instead of 'fail-open'. > In other words, put: > > ALL:ALL > > in hosts.deny, so the default is to block *everything*. Then, explicitly > turn on the services you want for the source addresses you want: > > sshd: 192.168.1. <- or whatever your real allowed subnets are > > or you can do > > sshd: ALL EXCEPT 211.182.241. > > > This way, you never need to track back and forth between hosts.allow and > hosts.deny, or think about what has precedence, or anything. Simply leave > only ALL:ALL in hosts.deny, and manage everything in one place. Not to cut the hairs toooooo fine, but recommending to someone new to set ALL:ALL in hosts.deny is going to disable ALL services that use tcp_wrappers. While I agree that is the "long-term" preferred approach, we are now perhaps breaking and affecting services we were unaware of.... But then again, I also say tomahto.... --Rob
