From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1LQSjW-0002wL-GI for garchives@archives.gentoo.org; Fri, 23 Jan 2009 20:34:30 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id AE660E089D; Fri, 23 Jan 2009 20:34:28 +0000 (UTC) Received: from mail-ew0-f21.google.com (mail-ew0-f21.google.com [209.85.219.21]) by pigeon.gentoo.org (Postfix) with ESMTP id 4E3A4E089D for ; Fri, 23 Jan 2009 20:34:28 +0000 (UTC) Received: by ewy14 with SMTP id 14so4663740ewy.10 for ; Fri, 23 Jan 2009 12:34:27 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:to:subject :content-disposition:from:date:mime-version:content-type :content-transfer-encoding:message-id; bh=YZiZ5oI4cU+nQJ8G0vvvxF55IL8DYEyNvI0Vj5I85aw=; b=Y7hyBfargxU8HtjQhSdVSdE2BLuVWOOI8ccQm/TniFwZ3dnMcfEeSEImS1+OnEj15D U57KvuOtyWJCgT/g3DEccVsxxyhEph5kj3wimQfj/RBI9FRfIExJ2Vg2FUOUB0BONMEd sQDrEzpGLAUkNoZ7Nj4ikISeRgrURbNHFxh9g= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=to:subject:content-disposition:from:date:mime-version:content-type :content-transfer-encoding:message-id; b=AvYGPQxE8G4Qh+Kd6lnKP7luZ6S8tugPAgchy8/10nnQ77blgYMIgLN0noQ7/FZ5pQ mRbTwWfMT49dz+PHjriXr9ldAHK5R0HGi6T0zvDwme7knh04odvGKgCgWE79YYUQo7nK 1K8s1pRvgu5P9jTmg3TD5mEa34m+rZKUTXDXw= Received: by 10.210.135.17 with SMTP id i17mr7100009ebd.58.1232742867606; Fri, 23 Jan 2009 12:34:27 -0800 (PST) Received: from ?172.20.0.4? ([196.210.139.153]) by mx.google.com with ESMTPS id 7sm336744eyg.52.2009.01.23.12.34.26 (version=TLSv1/SSLv3 cipher=RC4-MD5); Fri, 23 Jan 2009 12:34:26 -0800 (PST) To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Re: Why isn't sshd blocking repeated failed login attempts? Content-Disposition: inline From: Alan McKinnon Date: Fri, 23 Jan 2009 22:33:21 +0200 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Message-Id: <200901232233.21122.alan.mckinnon@gmail.com> X-Archives-Salt: 76942c9f-3a81-4b3d-8d08-453a7be4b3df X-Archives-Hash: d91f5577d87ec864e748af6a5e2c2d40 On Friday 23 January 2009 22:22:17 Paul Hartman wrote: > I essentially want it to work the other way around. Deny access by > default unless there is an allow rule. I don't think I can do that, > though. If I put ALL: ALL or sshd: ALL in the hosts.deny file, it will > deny ME access to my own machine. I don't want that. Since I don't > have a specific IP i will connect from, I can't allow any specific IP > (or else I'd be doing it that way already). > > How can I accomplish this?: > > Allow all ssh connections unless they are in hosts.deny > Deny all other connections unless they are in hosts.allow Have you looked at port knocking? It's a complete ball ache to set up and use, far less useful than it seems, but it might also solve your conundrum. A friend once mentioned on a forum that he'd managed to set up static libwrap rules in hosts.allow|deny for addresses that don't change and additionally port-knocking for himself to open up port 22 for a few minutes. I don't recall how he did this, only that he claimed to have done it. -- alan dot mckinnon at gmail dot com