Posted by: Anonymous Coward
on March 30, 2007 08:41 PM
Actually, you don't need to resort tcp_wrappers or iptables to filter by host. OpenSSH can do this all by itself, with more granularity, thanks to the recent "Match" directive. For instance, here's how we achieve the same things you described on the article :
Match Address 192.168.1.*, 193.180.177.13
AllowUsers anze dasa kimy
By the way, some more options have security impact. Consider doing : AddressFamily inet AllowTcpForwarding no MaxAuthTries 3
To restrict to IPv4 (and reject IPv6), deny tcp forwarding, and circumvent brute force attacks.
Also, if you don't use PAM, consider using UsePrivilegeSeparation.
Learn about Linux
Download Linux
Get Linux help
No need for tcp_wrappers
Posted by: Anonymous Coward on March 30, 2007 08:41 PMOpenSSH can do this all by itself, with more granularity, thanks to the recent "Match" directive.
For instance, here's how we achieve the same things you described on the article :
Match Address 192.168.1.*, 193.180.177.13
AllowUsers anze dasa kimy
By the way, some more options have security impact. Consider doing :
AddressFamily inet
AllowTcpForwarding no
MaxAuthTries 3
To restrict to IPv4 (and reject IPv6), deny tcp forwarding, and circumvent
brute force attacks.
Also, if you don't use PAM, consider using UsePrivilegeSeparation.
#