How can I block IP address range with sshd_config

David Keen zen46443 at
Thu Jul 29 18:13:17 UTC 2004

On Wed, 2004-07-28 at 15:23, Matthew Miller wrote:

> I find the tcp wrappers configuration to be more straightforward (and more
> secure) if you change the config to be 'fail-safe' instead of 'fail-open'.
> In other words, put:
> in hosts.deny, so the default is to block *everything*. Then, explicitly
> turn on the services you want for the source addresses you want:
>   sshd: 192.168.1.      <- or whatever your real allowed subnets are
> or you can do
>   sshd: ALL EXCEPT 211.182.241.
> This way, you never need to track back and forth between hosts.allow and
> hosts.deny, or think about what has precedence, or anything. Simply leave
> only ALL:ALL in hosts.deny, and manage everything in one place.

>From man hosts_options:

The allow and deny keywords make it possible to keep all access control
rules within a single file, for example in the hosts.allow file.
       To permit access from specific hosts only:
          ALL: .friendly.domain: ALLOW
          ALL: ALL: DENY
       To permit access from all hosts except a few trouble makers:
          ALL: .bad.domain: DENY
          ALL: ALL: ALLOW

David Keen <zen46443 at>

More information about the users mailing list