From owner-freebsd-questions@FreeBSD.ORG Sun Apr 10 14:34:24 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 37AC016A4CE for ; Sun, 10 Apr 2005 14:34:24 +0000 (GMT) Received: from makeworld.com (makeworld.com [216.201.118.142]) by mx1.FreeBSD.org (Postfix) with ESMTP id BEAFD43D31 for ; Sun, 10 Apr 2005 14:34:23 +0000 (GMT) (envelope-from racerx@makeworld.com) Received: from localhost (localhost.com [127.0.0.1]) by makeworld.com (Postfix) with ESMTP id ACCAF60E4 for ; Sun, 10 Apr 2005 09:34:22 -0500 (CDT) Received: from makeworld.com ([127.0.0.1]) by localhost (makeworld.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 33150-02 for ; Sun, 10 Apr 2005 09:34:20 -0500 (CDT) Received: from [216.201.118.138] (racerx.makeworld.com [216.201.118.138]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by makeworld.com (Postfix) with ESMTP id 1410660DB for ; Sun, 10 Apr 2005 09:34:17 -0500 (CDT) Message-ID: <42593972.1040805@makeworld.com> Date: Sun, 10 Apr 2005 09:34:26 -0500 From: Chris User-Agent: Mozilla Thunderbird 1.0.2 (X11/20050327) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: <1492434941.20050407204225@wanadoo.fr> <16981.34396.918396.208453@szamoca.krvarr.bc.ca> <856341966.20050408053245@wanadoo.fr> <16984.42254.480019.606112@szamoca.krvarr.bc.ca> <1878091587.20050410102441@wanadoo.fr> In-Reply-To: <1878091587.20050410102441@wanadoo.fr> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by ClamAV 0.75.1/amavisd-new-2.2.1 (20041222) at makeworld.com - Isn't it ironic Subject: Re: How can I log every login via telnet? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: racerx@makeworld.com List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Apr 2005 14:34:24 -0000 Anthony Atkielski wrote: > Sandy Rutherford writes: > > >>See login.access(5) and login.conf(5). Both provide this >>functionality. > > > I've tried this and I've obtained weird results. > > Supposedly login stops at the first match in the login.access file. So > I used this: > > +:ALL:console > +:ALL:LOCAL > +:xxx yyy:ALL EXCEPT 216.134.77.112 161.13.67.41 > -:ALL:ALL > > The idea is to prohibit any logins from anywhere except the LAN and > console for all users except xxx and yyy (and even for those two logins > are not accepted from two specific IP addresses). But as soon as I add > the -:ALL:ALL at the end, logins are disallowed for everyone except xxx > and yyy, even on the LAN, and even with ssh. I'm perplexed. > Anthony, If you are using ipfw, you could do something like this: # Allow in only a few Telnet, SFTP, SSH, and SCP from public Internet ${fwcmd} add 090 pass log tcp from 161.13.67.41,216.134.77.112 to ${ip} 23 setup limit src-addr 5 What this does is allow the above mentioned in from the above mentioned IP's - THEN, only allows a connection of 5. Something to think about if you run the firewall. To the rest of the outside, users will get dead space if they try to telnet in. -- Best regards, Chris If opportunity came disguised as temptation, one knock would be enough.