Re: Disabling access to SSH
Hello
andreas.sumper@nimbus.at (<andreas.sumper@nimbus.at>) wrote:
> Mark Maas <mark@menem.mine.nu> wrote on 16.11.2004 08:50:57:
>
>> I'm trying to restrict access to my ssh server from the outside to
>> allow only two IP adresses and the internal lan ofcourse.
>> And deny access to everyone else.
>>
>> People are trying the guess a username and password tactic a little
>> too much to my liking...
You could additionally disable password logins and use keys instead, at
least for root (or better, disable root logins completely), and make
sure that the user names commonly scanned for are not available
(guest?).
>> Do I use hosts.deny, hosts.allow for this? If so, which one takes
>> precedence?
>
> I use iptables, so that I do not have to worry about such things.
> just allow the two addresses and drop all others...
>
> If you like to use hosts.deny and hosts.allow, I believe that
> hosts.deny overrules hosts.allow. This is at least, how I experienced
> the two configs.
According to `man hosts_access`, first hosts.allow is checked. If a
matching entry is found, the check is stopped, and access will be
granted. If not, hosts.deny will be checked. If no matching entry is
found in hosts.deny, access will be allowed. If a matching entry is
found in hosts.deny, access will be denied. That means it should be
possible to list the allowed IPs and networks in hosts.allow, and
disallow access from everywhere in hosts.deny.
best regards
Andreas Jansse
--
Andreas Janssen <andreas.janssen@bigfoot.com>
PGP-Key-ID: 0xDC801674 ICQ #17079270
Registered Linux User #267976
http://www.andreas-janssen.de/debian-tipps-sarge.html
Reply to: