On Sat, 4 Sep 2004, Volker Kindermann wrote: > Hi, > > > I'm willing to open up my box to a subnet xxx.xxx.xxx.0 but so far the range > > of ip addresses he is getting is so large, it will defeat the purpose to > > blocking ssh because I would have to open up to so many ranges. Is there any > > solution? > > it might be necessary to open port 22 for all ip-addresses. > > To lock it down, you may want to put the allowed ssh-users in a group (say ssh-users) and add "AllowGroups ssh-users" to your sshd_config. Hmm...alternately, he could use TCPWrappers. In /etc/hosts.deny, add: "sshd: ALL" And in /etc/hosts.allow, add: "sshd: put.ip.addr.here/put.net.mask.here" Either way will require maintaining a list. > Additionally you may want to disable password-login and allow only key-based login. This is always an option, as I noted, too. -- Mike Burger http://www.bubbanfriends.org Visit the Dog Pound II BBS telnet://dogpound2.citadel.org or http://dogpound2.citadel.org To be notified of updates to the web site, visit http://www.bubbanfriends.org/mailman/listinfo/site-update, or send a message to: site-update-request@xxxxxxxxxxxxxxxxx with a message of: subscribe -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
