Date: Fri, 23 Jul 2004 13:54:22 +0100 From: Peter Risdon <peter@circlesquared.com> To: Alex de Kruijff <freebsd@akruijff.dds.nl> Cc: freebsd-questions@freebsd.org Subject: Re: Best way to limit SSH to LAN IP's only ? Message-ID: <41010A7E.8080301@circlesquared.com> In-Reply-To: <20040723123936.GA795@alex.lan> References: <20040723120102.009B116A4DF@hub.freebsd.org> <3.0.6.32.20040723132012.007d8e50@mail.uk2.net> <20040723123936.GA795@alex.lan>
next in thread | previous in thread | raw e-mail | index | archive | help
Alex de Kruijff wrote:
> On Fri, Jul 23, 2004 at 01:20:12PM +0100, Graham Bentley wrote:
>
>>Hi All,
>>
>>Wondered what is the best way to do this ?
>>
>>Do I have to get involved with host.allow / deny
>>or better to use the sshd config ?
>
>
> Hi,
>
> The hosts.allow states:
> # Wrapping sshd(8) is not normally a good idea, but if you
> # need to do it, here's how
> #sshd : .evil.cracker.example.com : deny
>
> Another way would be to implement this behavure with a firewall like
> ipfw or ipf.
>
/etc/ssh/sshd_config is also an option. From man sshd_config:
ListenAddress
Specifies the local addresses sshd should listen on. The
follow-
ing forms may be used:
ListenAddress host|IPv4_addr|IPv6_addr
ListenAddress host|IPv4_addr:port
ListenAddress [host|IPv6_addr]:port
If port is not specified, sshd will listen on the address
and all
prior Port options specified. The default is to listen on all
local addresses. Multiple ListenAddress options are
permitted.
Additionally, any Port options must precede this option
for non
port qualified addresses.
Peter.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?41010A7E.8080301>