You might also have a look at hosts.allow and hosts.deny
(http://linux.about.com/od/commands/l/blcmdl5_hostsal.htm is just the
first google result; the man pages certainly have more info, but I
don't use hosts.* myself so I can only really provide a pointer). I'm
not sure that really adds anything that the firewall rule wouldn't
already, though.

well, if i understood the question correctly, this should do.

put to file /etc/hosts.allow:
ALL:ALL

put to file /etc/hosts.deny:
sshd: .your.domain.com allowed_ip_addresses allowed_networks
allowed_hostnames


you can put more or less anything on the line and control who's allowed
to connect (man hosts.deny). i'd say it is straightforward and works
immediatelly without a need to (re)configure a firewall.


best,

--
Lubos _@_"
http://www.lubos.vrbka.net


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Lubos Vrbka wrote:

> you can put more or less anything on the line and control who's allowed
> to connect (man hosts.deny). i'd say it is straightforward and works
> immediatelly without a need to (re)configure a firewall.

You mean people actually still use tcp wrappers after all these
years? wow. I don't think I've come across a system that has
used them since the late 90s.

nate


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

On 09/19/2008 12:32 PM, Lubos Vrbka wrote:

well, if i understood the question correctly, this should do.

put to file /etc/hosts.allow:
ALL:ALL

put to file /etc/hosts.deny:
sshd: .your.domain.com allowed_ip_addresses allowed_networks
allowed_hostnames


you can put more or less anything on the line and control who's allowed
to connect (man hosts.deny). i'd say it is straightforward and works
immediatelly without a need to (re)configure a firewall.


best,



Those look backward to me:

file: /etc/hosts.allow:
ALL: LOCAL 127.0.0.0/8
sshd: 192.168.0.0/24

file: /etc/hosts.deny:
ALL:ALL



--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

On 2008-09-19, Mumia W.. <paduille.4061.mumia.w+nospam@earthlink.net> wrote:
> On 09/19/2008 12:32 PM, Lubos Vrbka wrote:
>> well, if i understood the question correctly, this should do.
>>
>> put to file /etc/hosts.allow:
>> ALL:ALL
>>
>> put to file /etc/hosts.deny:
>> sshd: .your.domain.com allowed_ip_addresses allowed_networks
>> allowed_hostnames
>>
>> you can put more or less anything on the line and control who's allowed
>> to connect (man hosts.deny). i'd say it is straightforward and works
>> immediatelly without a need to (re)configure a firewall.
>>
>> best,
>>
>
> Those look backward to me:
>
> file: /etc/hosts.allow:
> ALL: LOCAL 127.0.0.0/8
> sshd: 192.168.0.0/24
>
> file: /etc/hosts.deny:
> ALL:ALL

Thanks everyone. I didn't think of using the hosts file; And agree
with at least one poster, that this can be done in both sshd and hosts.
Can never be too secure eh ?

Cheers,

Steve


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

On 2008-09-19, Jeff Soules <soules@gmail.com> wrote:
> Well, one option is to just set a rule-pair in your firewall:
>
> iptables -A INPUT -p tcp --dport 22 -s 192.168.1.0/24 -j ACCEPT
> iptables -A INPUT -p tcp --dport 22 -j DROP

Good suggestion. I think I'll try all 3 suggestions.

Thanks to Nate as well.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Hi:

man 5 sshd_config

Edit /etc/ssh/sshd_config and add the following line:

AllowUsers *@192.168.*.*

ListenAddress directive is another way to achieve your purpose, but
iptables and tcp wrappers (hosts.allow & hosts.deny) are also valid methods.


Bye

S.D.Allen escribió:

Greetings;

I can seem to figure out which config file to edit and what to enter
to allow only hosts on the LAN to connect via SSH. I'll have the box
in question available to the entire Internet and want to disable
global access to SSH. Presently I'm using password authentication, and
would prefer to keep it this way, as opposed to allowing access via
trusted key.

Thanks.





--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

On 2008-09-22, Jason Voorhees <jvoorhees1@gmail.com> wrote:
> Hi:
>
> man 5 sshd_config
>
> Edit /etc/ssh/sshd_config and add the following line:
>
> AllowUsers *@192.168.*.*
>
> ListenAddress directive is another way to achieve your purpose, but
> iptables and tcp wrappers (hosts.allow & hosts.deny) are also valid methods.

Amazing how many ways there are to 'skin the cat'. Thanks for yours.

I skimmed over the man for sshd but didn't realize there was one for
'sshd_config'. The older I get the more I learn. 8-)


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org