On 12/10/05, wwp <subscript@xxxxxxx> wrote: > Hello Scot, > > > On Tue, 06 Dec 2005 21:15:04 -0500 "Scot L. Harris" <webid@xxxxxxxxxx> wrote: > > > On Tue, 2005-12-06 at 20:58, Ben Halicki wrote: > > > Hi all, > > > > > BTW, is there a way to make ssh allowing root access from a specific > interface (local for instance) and denying it from other ones (external)? I have to say this is a bad idea. root access directly has no accountability. login via a normal ID and sudo or if you really need to su. now you have accountability. Second you are creating complexity, which is the nemesis of security, Complex solutions are more vulnerable due to the chance for error. Use depth in defense. Multiple simple layers of security... firewall, local iptables, ssh, no root access, sudo, logs.... -- Leonard Isham, CISSP Ostendo non ostento.
