How can I block IP address range with sshd_config
Robert Locke
rlocke at ralii.com
Wed Jul 28 16:13:24 UTC 2004
On Wed, 2004-07-28 at 10:23, Matthew Miller wrote:
> On Tue, Jul 27, 2004 at 12:53:58PM -0400, Robert Locke wrote:
> > Add the following to your /etc/hosts.deny file:
> > sshd : 211.182.241.
> > (note the trailing dot - it is needed)
> > - or -
> > sshd : 211.182.241.0/255.255.255.0
>
> I find the tcp wrappers configuration to be more straightforward (and more
> secure) if you change the config to be 'fail-safe' instead of 'fail-open'.
> In other words, put:
>
> ALL:ALL
>
> in hosts.deny, so the default is to block *everything*. Then, explicitly
> turn on the services you want for the source addresses you want:
>
> sshd: 192.168.1. <- or whatever your real allowed subnets are
>
> or you can do
>
> sshd: ALL EXCEPT 211.182.241.
>
>
> This way, you never need to track back and forth between hosts.allow and
> hosts.deny, or think about what has precedence, or anything. Simply leave
> only ALL:ALL in hosts.deny, and manage everything in one place.
Not to cut the hairs toooooo fine, but recommending to someone new to
set ALL:ALL in hosts.deny is going to disable ALL services that use
tcp_wrappers. While I agree that is the "long-term" preferred approach,
we are now perhaps breaking and affecting services we were unaware
of....
But then again, I also say tomahto....
--Rob
More information about the users
mailing list