[PLUG] denyhosts not blocking some ssh attempts
Rich Shepard
rshepard at appl-ecosys.com
Fri Jan 16 18:00:06 UTC 2009
On Fri, 16 Jan 2009, Quentin Hartman wrote:
> If all your legitimate users are allowed to SSH in, what's the point
> of specifically allowing users?
Quantin,
Not all of us can.
> The number of users doesn't matter so much as the number of IP's they will
> be coming from. If you have a known subset of IP's from which all
> legitimate access will originate, hosts.allow with an implicit deny makes
> sense. If not, it's likely to become a management headache.
No implicit deny here. But only known usernames are allowe.
> In a nutshell, IPs in .deny are not allowed to connect, IPs in .allow are.
> That is grossly oversimplified though.
Actually, your answer to the second part of my first question is a better
answer. By specifying ALL: in /etc/hosts.allow there's no need to specify IP
addresses. That would be a major hassle when traveling on business and
connecting from all sorts of strange places -- including the brewpub on
Friday evening. Therefore, the onus for security is on /etc/hosts.deny and
there the default is ALL: unless it's a known username asking to come in.
Thanks,
Rich
--
Richard B. Shepard, Ph.D. | Integrity Credibility
Applied Ecosystem Services, Inc. | Innovation
<http://www.appl-ecosys.com> Voice: 503-667-4517 Fax: 503-667-8863
More information about the PLUG
mailing list