SSH allow only form selected IP"

hi,

i have a redhat enterprise 3 linux box, how can i configure SSH demon
only to allow SSH connections only form selected IP's ?

i have 3 IP rangers that i need to allow, how can i do this ?

thanks a lot
Kev


-------
Web Hosting at a cheap price, starting at $1 per month with your own domain, .COM, .NET, .LK, .ORG etc..
PHP, CGI, Perl, MySQL, Cpanel 9, POP3, POP3s, SMTP, IMAP, FTP,
http://www.orbitsl.net

-
To unsubscribe from this list: send the line "unsubscribe linux-config" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: SSH allow only form selected IP"

This is a cryptographically signed message in MIME format.

--------------ms020900050302030407040200
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

Kev wrote:

>hi,
>
>i have a redhat enterprise 3 linux box, how can i configure SSH demon
>only to allow SSH connections only form selected IP's ?
>
>i have 3 IP rangers that i need to allow, how can i do this ?
>
>thanks a lot
>Kev
>
>
>-------
>Web Hosting at a cheap price, starting at $1 per month with your own domain, .COM, .NET, .LK, .ORG etc..
>PHP, CGI, Perl, MySQL, Cpanel 9, POP3, POP3s, SMTP, IMAP, FTP,
>http://www.orbitsl.net
>
>-
>To unsubscribe from this list: send the line "unsubscribe linux-config" in
>the body of a message to majordomo@vger.kernel.org
>More majordomo info at http://vger.kernel.org/majordomo-info.html
>
>
Use your firewall rules. Something like:

iptables -A INPUT -p tcp -m state --state NEW,ESTABLISHED -s
192.168.0.0/24 --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -d
192.168.0.0/24 --sport 22 -j ACCEPT

Where 192.168.0.0/24 is the range you are allowing.

Regards

James



--------------ms020900050302030407040200
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEH AQAAoIIH+TCC
AlcwggHAoAMCAQICAwxcXDANBgkqhkiG9w0BAQQFADBiMQswCQYDVQQGEwJa QTElMCMGA1UE
ChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhh d3RlIFBlcnNv
bmFsIEZyZWVtYWlsIElzc3VpbmcgQ0EwHhcNMDQwNTIyMDYxNTI4WhcNMDUw NTIyMDYxNTI4
WjBJMR8wHQYDVQQDExZUaGF3dGUgRnJlZW1haWwgTWVtYmVyMSYwJAYJKoZI hvcNAQkBFhdq
YW1lc0Bsb3ZlZHRoYW5sb3N0Lm5ldDCBnzANBgkqhkiG9w0BAQEFAAOBjQAw gYkCgYEAx2v2
vUgZ5zogSrElx4VilKyCm0yfHJ3Mqe4CSp/7VlfTgwonPqU12B00fmamXeM1 txF/QxgGXI38
Kwf3iS2aVy9VSL1ckNlcfQEHJt7+4UdKeEttL8Z65BXxPCL6+s1ll2YZ23pi QRPkV5iDirIZ
k3PbKIz7TVLGzg1QgV6NYlUCAwEAAaM0MDIwIgYDVR0RBBswGYEXamFtZXNA bG92ZWR0aGFu
bG9zdC5uZXQwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQQFAAOBgQDCVRZx Hh7SMS0t+OJ9
rehq9WFgj+5Fv4EsYM+riXx8tqGwBDGHK0e/+/9UIOl2WsVReAGTktz48ilb uMhXAps2ojF+
EgEzmmk/HRkrk9mT0fZw4WEj6LmESKatKkyE7+FmcZEdnVwsHQ3bbSSCSoNL +1L4v2Ncr4kW
vBMAslVo/zCCAlcwggHAoAMCAQICAwxcXDANBgkqhkiG9w0BAQQFADBiMQsw CQYDVQQGEwJa
QTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoG A1UEAxMjVGhh
d3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0EwHhcNMDQwNTIyMDYx NTI4WhcNMDUw
NTIyMDYxNTI4WjBJMR8wHQYDVQQDExZUaGF3dGUgRnJlZW1haWwgTWVtYmVy MSYwJAYJKoZI
hvcNAQkBFhdqYW1lc0Bsb3ZlZHRoYW5sb3N0Lm5ldDCBnzANBgkqhkiG9w0B AQEFAAOBjQAw
gYkCgYEAx2v2vUgZ5zogSrElx4VilKyCm0yfHJ3Mqe4CSp/7VlfTgwonPqU1 2B00fmamXeM1
txF/QxgGXI38Kwf3iS2aVy9VSL1ckNlcfQEHJt7+4UdKeEttL8Z65BXxPCL6 +s1ll2YZ23pi
QRPkV5iDirIZk3PbKIz7TVLGzg1QgV6NYlUCAwEAAaM0MDIwIgYDVR0RBBsw GYEXamFtZXNA
bG92ZWR0aGFubG9zdC5uZXQwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQQF AAOBgQDCVRZx
Hh7SMS0t+OJ9rehq9WFgj+5Fv4EsYM+riXx8tqGwBDGHK0e/+/9UIOl2WsVR eAGTktz48ilb
uMhXAps2ojF+EgEzmmk/HRkrk9mT0fZw4WEj6LmESKatKkyE7+FmcZEdnVws HQ3bbSSCSoNL
+1L4v2Ncr4kWvBMAslVo/zCCAz8wggKooAMCAQICAQ0wDQYJKoZIhvcNAQEF BQAwgdExCzAJ
BgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNh cGUgVG93bjEa
MBgGA1UEChMRVGhhd3RlIENvbnN1bHRpbmcxKDAmBgNVBAsTH0NlcnRpZmlj YXRpb24gU2Vy
dmljZXMgRGl2aXNpb24xJDAiBgNVBAMTG1RoYXd0ZSBQZXJzb25hbCBGcmVl bWFpbCBDQTEr
MCkGCSqGSIb3DQEJARYccGVyc29uYWwtZnJlZW1haWxAdGhhd3RlLmNvbTAe Fw0wMzA3MTcw
MDAwMDBaFw0xMzA3MTYyMzU5NTlaMGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQK ExxUaGF3dGUg
Q29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29u YWwgRnJlZW1h
aWwgSXNzdWluZyBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxKY8 VXNV+065ypla
HmjAdQRwnd/p/6Me7L3N9VvyGna9fww6YfK/Uc4B1OVQCjDXAmNaLIkVcI7d yfArhVqqP3FW
y688Cwfn8R+RNiQqE88r1fOCdz0Dviv+uxg+B79AgAJk16emu59l0cUqVIUP SAR/p7bRPGEE
QB5kGXJgt/sCAwEAAaOBlDCBkTASBgNVHRMBAf8ECDAGAQH/AgEAMEMGA1Ud HwQ8MDowOKA2
oDSGMmh0dHA6Ly9jcmwudGhhd3RlLmNvbS9UaGF3dGVQZXJzb25hbEZyZWVt YWlsQ0EuY3Js
MAsGA1UdDwQEAwIBBjApBgNVHREEIjAgpB4wHDEaMBgGA1UEAxMRUHJpdmF0 ZUxhYmVsMi0x
MzgwDQYJKoZIhvcNAQEFBQADgYEASIzRUIPqCy7MDaNmrGcPf6+svsIXoUOW lJ1/TCG4+DYf
qi2fNi/A9BxQIJNwPP2t4WFiw9k6GX6EsZkbAMUaC4J0niVQlGLH2ydxVyWN 3amcOY6MIE9l
X5Xa9/eH1sYITq726jTlEBpbNU1341YheILcIRk13iSx0x1G/11fZU8xggK6 MIICtgIBATBp
MGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAo UHR5KSBMdGQu
MSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBD QQIDDFxcMAkG
BSsOAwIaBQCgggGnMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZI hvcNAQkFMQ8X
DTA0MDgxNDEwNTQyMVowIwYJKoZIhvcNAQkEMRYEFKZMf41TpnkEJUhIC3vh H1Nxpy/ZMFIG
CSqGSIb3DQEJDzFFMEMwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0G CCqGSIb3DQMC
AgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMHgGCSsGAQQBgjcQBDFrMGkw YjELMAkGA1UE
BhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4x LDAqBgNVBAMT
I1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBAgMMXFwwegYL KoZIhvcNAQkQ
Agsxa6BpMGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3Vs dGluZyAoUHR5
KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNz dWluZyBDQQID
DFxcMA0GCSqGSIb3DQEBAQUABIGAMMxYgoHsxOE0R/v1ZDtLtIWXyPQFtHSZ awkvvXD/0HQy
l4aaEzaj3ZJISOMrsm7+/ZCUzyi8B4p1lcstym7CTkE76Um4y+++GFj6+qtt aPIFX4pP94zJ
Uqff3mTv/mWhR067Bpz7SxqfeOOAXBzw79i/PVrWxDFBbTTS7UP+OrwAAAAA AAA=
--------------ms020900050302030407040200--
-
To unsubscribe from this list: send the line "unsubscribe linux-config" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Re[2]: SSH allow only form selected IP"

>>
>>i have a redhat enterprise 3 linux box, how can i configure SSH demon
>>only to allow SSH connections only form selected IP's ?
>>
>>i have 3 IP rangers that i need to allow, how can i do this ?
>>
>>thanks a lot
>>Kev
>
>>
>Use your firewall rules. Something like:
>
>iptables -A INPUT -p tcp -m state --state NEW,ESTABLISHED -s
>192.168.0.0/24 --dport 22 -j ACCEPT
>iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -d
>192.168.0.0/24 --sport 22 -j ACCEPT
>
>Where 192.168.0.0/24 is the range you are allowing.

anyway i can do this with the SSH config ?

i can use the iptabel rules for 2-3 IP rangers ?

-------
Web Hosting at a cheap price, starting at $1 per month with your own domain, .COM, .NET, .LK, .ORG etc..
PHP, CGI, Perl, MySQL, Cpanel 9, POP3, POP3s, SMTP, IMAP, FTP,
http://www.orbitsl.net

-
To unsubscribe from this list: send the line "unsubscribe linux-config" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: SSH allow only form selected IP"

This is a cryptographically signed message in MIME format.

--------------ms040906020206000908090904
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

Kev wrote:

>>e your firewall rules. Something like:
>>
>>iptables -A INPUT -p tcp -m state --state NEW,ESTABLISHED -s
>>192.168.0.0/24 --dport 22 -j ACCEPT
>>iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -d
>>192.168.0.0/24 --sport 22 -j ACCEPT
>>
>>Where 192.168.0.0/24 is the range you are allowing.
>>
>>
>
>anyway i can do this with the SSH config ?
>
>i can use the iptabel rules for 2-3 IP rangers ?
>
>
Have a read of:
http://www.oreilly.com/catalog/sshtdg/chapter/ch08.html#4577 5

The firewall rules yes you can do more than one subnet:

iptables -A INPUT -p tcp -m state --state NEW,ESTABLISHED -s
192.168.0.0/24 --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -d
192.168.0.0/24 --sport 22 -j ACCEPT

iptables -A INPUT -p tcp -m state --state NEW,ESTABLISHED -s
10.0.0.0/24 --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -d
10.0.0.0/24 --sport 22 -j ACCEPT

etc etc

Regards

James



--------------ms040906020206000908090904
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEH AQAAoIIH+TCC
AlcwggHAoAMCAQICAwxcXDANBgkqhkiG9w0BAQQFADBiMQswCQYDVQQGEwJa QTElMCMGA1UE
ChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhh d3RlIFBlcnNv
bmFsIEZyZWVtYWlsIElzc3VpbmcgQ0EwHhcNMDQwNTIyMDYxNTI4WhcNMDUw NTIyMDYxNTI4
WjBJMR8wHQYDVQQDExZUaGF3dGUgRnJlZW1haWwgTWVtYmVyMSYwJAYJKoZI hvcNAQkBFhdq
YW1lc0Bsb3ZlZHRoYW5sb3N0Lm5ldDCBnzANBgkqhkiG9w0BAQEFAAOBjQAw gYkCgYEAx2v2
vUgZ5zogSrElx4VilKyCm0yfHJ3Mqe4CSp/7VlfTgwonPqU12B00fmamXeM1 txF/QxgGXI38
Kwf3iS2aVy9VSL1ckNlcfQEHJt7+4UdKeEttL8Z65BXxPCL6+s1ll2YZ23pi QRPkV5iDirIZ
k3PbKIz7TVLGzg1QgV6NYlUCAwEAAaM0MDIwIgYDVR0RBBswGYEXamFtZXNA bG92ZWR0aGFu
bG9zdC5uZXQwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQQFAAOBgQDCVRZx Hh7SMS0t+OJ9
rehq9WFgj+5Fv4EsYM+riXx8tqGwBDGHK0e/+/9UIOl2WsVReAGTktz48ilb uMhXAps2ojF+
EgEzmmk/HRkrk9mT0fZw4WEj6LmESKatKkyE7+FmcZEdnVwsHQ3bbSSCSoNL +1L4v2Ncr4kW
vBMAslVo/zCCAlcwggHAoAMCAQICAwxcXDANBgkqhkiG9w0BAQQFADBiMQsw CQYDVQQGEwJa
QTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoG A1UEAxMjVGhh
d3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0EwHhcNMDQwNTIyMDYx NTI4WhcNMDUw
NTIyMDYxNTI4WjBJMR8wHQYDVQQDExZUaGF3dGUgRnJlZW1haWwgTWVtYmVy MSYwJAYJKoZI
hvcNAQkBFhdqYW1lc0Bsb3ZlZHRoYW5sb3N0Lm5ldDCBnzANBgkqhkiG9w0B AQEFAAOBjQAw
gYkCgYEAx2v2vUgZ5zogSrElx4VilKyCm0yfHJ3Mqe4CSp/7VlfTgwonPqU1 2B00fmamXeM1
txF/QxgGXI38Kwf3iS2aVy9VSL1ckNlcfQEHJt7+4UdKeEttL8Z65BXxPCL6 +s1ll2YZ23pi
QRPkV5iDirIZk3PbKIz7TVLGzg1QgV6NYlUCAwEAAaM0MDIwIgYDVR0RBBsw GYEXamFtZXNA
bG92ZWR0aGFubG9zdC5uZXQwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQQF AAOBgQDCVRZx
Hh7SMS0t+OJ9rehq9WFgj+5Fv4EsYM+riXx8tqGwBDGHK0e/+/9UIOl2WsVR eAGTktz48ilb
uMhXAps2ojF+EgEzmmk/HRkrk9mT0fZw4WEj6LmESKatKkyE7+FmcZEdnVws HQ3bbSSCSoNL
+1L4v2Ncr4kWvBMAslVo/zCCAz8wggKooAMCAQICAQ0wDQYJKoZIhvcNAQEF BQAwgdExCzAJ
BgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNh cGUgVG93bjEa
MBgGA1UEChMRVGhhd3RlIENvbnN1bHRpbmcxKDAmBgNVBAsTH0NlcnRpZmlj YXRpb24gU2Vy
dmljZXMgRGl2aXNpb24xJDAiBgNVBAMTG1RoYXd0ZSBQZXJzb25hbCBGcmVl bWFpbCBDQTEr
MCkGCSqGSIb3DQEJARYccGVyc29uYWwtZnJlZW1haWxAdGhhd3RlLmNvbTAe Fw0wMzA3MTcw
MDAwMDBaFw0xMzA3MTYyMzU5NTlaMGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQK ExxUaGF3dGUg
Q29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29u YWwgRnJlZW1h
aWwgSXNzdWluZyBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxKY8 VXNV+065ypla
HmjAdQRwnd/p/6Me7L3N9VvyGna9fww6YfK/Uc4B1OVQCjDXAmNaLIkVcI7d yfArhVqqP3FW
y688Cwfn8R+RNiQqE88r1fOCdz0Dviv+uxg+B79AgAJk16emu59l0cUqVIUP SAR/p7bRPGEE
QB5kGXJgt/sCAwEAAaOBlDCBkTASBgNVHRMBAf8ECDAGAQH/AgEAMEMGA1Ud HwQ8MDowOKA2
oDSGMmh0dHA6Ly9jcmwudGhhd3RlLmNvbS9UaGF3dGVQZXJzb25hbEZyZWVt YWlsQ0EuY3Js
MAsGA1UdDwQEAwIBBjApBgNVHREEIjAgpB4wHDEaMBgGA1UEAxMRUHJpdmF0 ZUxhYmVsMi0x
MzgwDQYJKoZIhvcNAQEFBQADgYEASIzRUIPqCy7MDaNmrGcPf6+svsIXoUOW lJ1/TCG4+DYf
qi2fNi/A9BxQIJNwPP2t4WFiw9k6GX6EsZkbAMUaC4J0niVQlGLH2ydxVyWN 3amcOY6MIE9l
X5Xa9/eH1sYITq726jTlEBpbNU1341YheILcIRk13iSx0x1G/11fZU8xggK6 MIICtgIBATBp
MGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAo UHR5KSBMdGQu
MSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBD QQIDDFxcMAkG
BSsOAwIaBQCgggGnMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZI hvcNAQkFMQ8X
DTA0MDgxNDExNDI1OFowIwYJKoZIhvcNAQkEMRYEFF/Wx+pbKMVxxCz4PprN VDCr2b+nMFIG
CSqGSIb3DQEJDzFFMEMwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0G CCqGSIb3DQMC
AgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMHgGCSsGAQQBgjcQBDFrMGkw YjELMAkGA1UE
BhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4x LDAqBgNVBAMT
I1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBAgMMXFwwegYL KoZIhvcNAQkQ
Agsxa6BpMGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3Vs dGluZyAoUHR5
KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNz dWluZyBDQQID
DFxcMA0GCSqGSIb3DQEBAQUABIGAfBkUznQIFztu1M4q9GfC2lgvbdWttZxf l6NfW6hiLSNS
vvTM8tkrhQrVUeMI5HtSliCgC0wEe6tXKsely0czWPeWK50HcD46c7nNVwL9 Zugj+YRfrma/
4jt0QxGbF2Ibk20ySc/rnFTguGYVDcTYl/QX0kuB21kKrZZWMiLsUWkAAAAA AAA=
--------------ms040906020206000908090904--
-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: SSH allow only form selected IP"

This is a cryptographically signed message in MIME format.

--------------ms050701060306050502090300
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

Kev wrote:

Sorry: http://www.oreilly.com/catalog/sshtdg/chapter/ch08.html

Regards

James

--------------ms050701060306050502090300
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEH AQAAoIIH+TCC
AlcwggHAoAMCAQICAwxcXDANBgkqhkiG9w0BAQQFADBiMQswCQYDVQQGEwJa QTElMCMGA1UE
ChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhh d3RlIFBlcnNv
bmFsIEZyZWVtYWlsIElzc3VpbmcgQ0EwHhcNMDQwNTIyMDYxNTI4WhcNMDUw NTIyMDYxNTI4
WjBJMR8wHQYDVQQDExZUaGF3dGUgRnJlZW1haWwgTWVtYmVyMSYwJAYJKoZI hvcNAQkBFhdq
YW1lc0Bsb3ZlZHRoYW5sb3N0Lm5ldDCBnzANBgkqhkiG9w0BAQEFAAOBjQAw gYkCgYEAx2v2
vUgZ5zogSrElx4VilKyCm0yfHJ3Mqe4CSp/7VlfTgwonPqU12B00fmamXeM1 txF/QxgGXI38
Kwf3iS2aVy9VSL1ckNlcfQEHJt7+4UdKeEttL8Z65BXxPCL6+s1ll2YZ23pi QRPkV5iDirIZ
k3PbKIz7TVLGzg1QgV6NYlUCAwEAAaM0MDIwIgYDVR0RBBswGYEXamFtZXNA bG92ZWR0aGFu
bG9zdC5uZXQwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQQFAAOBgQDCVRZx Hh7SMS0t+OJ9
rehq9WFgj+5Fv4EsYM+riXx8tqGwBDGHK0e/+/9UIOl2WsVReAGTktz48ilb uMhXAps2ojF+
EgEzmmk/HRkrk9mT0fZw4WEj6LmESKatKkyE7+FmcZEdnVwsHQ3bbSSCSoNL +1L4v2Ncr4kW
vBMAslVo/zCCAlcwggHAoAMCAQICAwxcXDANBgkqhkiG9w0BAQQFADBiMQsw CQYDVQQGEwJa
QTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoG A1UEAxMjVGhh
d3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0EwHhcNMDQwNTIyMDYx NTI4WhcNMDUw
NTIyMDYxNTI4WjBJMR8wHQYDVQQDExZUaGF3dGUgRnJlZW1haWwgTWVtYmVy MSYwJAYJKoZI
hvcNAQkBFhdqYW1lc0Bsb3ZlZHRoYW5sb3N0Lm5ldDCBnzANBgkqhkiG9w0B AQEFAAOBjQAw
gYkCgYEAx2v2vUgZ5zogSrElx4VilKyCm0yfHJ3Mqe4CSp/7VlfTgwonPqU1 2B00fmamXeM1
txF/QxgGXI38Kwf3iS2aVy9VSL1ckNlcfQEHJt7+4UdKeEttL8Z65BXxPCL6 +s1ll2YZ23pi
QRPkV5iDirIZk3PbKIz7TVLGzg1QgV6NYlUCAwEAAaM0MDIwIgYDVR0RBBsw GYEXamFtZXNA
bG92ZWR0aGFubG9zdC5uZXQwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQQF AAOBgQDCVRZx
Hh7SMS0t+OJ9rehq9WFgj+5Fv4EsYM+riXx8tqGwBDGHK0e/+/9UIOl2WsVR eAGTktz48ilb
uMhXAps2ojF+EgEzmmk/HRkrk9mT0fZw4WEj6LmESKatKkyE7+FmcZEdnVws HQ3bbSSCSoNL
+1L4v2Ncr4kWvBMAslVo/zCCAz8wggKooAMCAQICAQ0wDQYJKoZIhvcNAQEF BQAwgdExCzAJ
BgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNh cGUgVG93bjEa
MBgGA1UEChMRVGhhd3RlIENvbnN1bHRpbmcxKDAmBgNVBAsTH0NlcnRpZmlj YXRpb24gU2Vy
dmljZXMgRGl2aXNpb24xJDAiBgNVBAMTG1RoYXd0ZSBQZXJzb25hbCBGcmVl bWFpbCBDQTEr
MCkGCSqGSIb3DQEJARYccGVyc29uYWwtZnJlZW1haWxAdGhhd3RlLmNvbTAe Fw0wMzA3MTcw
MDAwMDBaFw0xMzA3MTYyMzU5NTlaMGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQK ExxUaGF3dGUg
Q29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29u YWwgRnJlZW1h
aWwgSXNzdWluZyBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxKY8 VXNV+065ypla
HmjAdQRwnd/p/6Me7L3N9VvyGna9fww6YfK/Uc4B1OVQCjDXAmNaLIkVcI7d yfArhVqqP3FW
y688Cwfn8R+RNiQqE88r1fOCdz0Dviv+uxg+B79AgAJk16emu59l0cUqVIUP SAR/p7bRPGEE
QB5kGXJgt/sCAwEAAaOBlDCBkTASBgNVHRMBAf8ECDAGAQH/AgEAMEMGA1Ud HwQ8MDowOKA2
oDSGMmh0dHA6Ly9jcmwudGhhd3RlLmNvbS9UaGF3dGVQZXJzb25hbEZyZWVt YWlsQ0EuY3Js
MAsGA1UdDwQEAwIBBjApBgNVHREEIjAgpB4wHDEaMBgGA1UEAxMRUHJpdmF0 ZUxhYmVsMi0x
MzgwDQYJKoZIhvcNAQEFBQADgYEASIzRUIPqCy7MDaNmrGcPf6+svsIXoUOW lJ1/TCG4+DYf
qi2fNi/A9BxQIJNwPP2t4WFiw9k6GX6EsZkbAMUaC4J0niVQlGLH2ydxVyWN 3amcOY6MIE9l
X5Xa9/eH1sYITq726jTlEBpbNU1341YheILcIRk13iSx0x1G/11fZU8xggK6 MIICtgIBATBp
MGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAo UHR5KSBMdGQu
MSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBD QQIDDFxcMAkG
BSsOAwIaBQCgggGnMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZI hvcNAQkFMQ8X
DTA0MDgxNDExNDYyM1owIwYJKoZIhvcNAQkEMRYEFDT8t0BBrvrNlz+Ou4XY mPOSDmjVMFIG
CSqGSIb3DQEJDzFFMEMwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0G CCqGSIb3DQMC
AgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMHgGCSsGAQQBgjcQBDFrMGkw YjELMAkGA1UE
BhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4x LDAqBgNVBAMT
I1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBAgMMXFwwegYL KoZIhvcNAQkQ
Agsxa6BpMGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3Vs dGluZyAoUHR5
KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNz dWluZyBDQQID
DFxcMA0GCSqGSIb3DQEBAQUABIGApBUTUxFiJdlug8EovFC70YMLnesbaSIz wPaymVlSVOm0
UBRQ1lV5R1nmgChv9VZkHOpjSSJNwKp5y32764rzDHq95QF8TDXoaFx1VYdC FD8U2myaick0
ng9gcTrEHvjWB1cLkRXHF6AppycgNl33d7bT6JvpVAz3a7XqGmjIqIEAAAAA AAA=
--------------ms050701060306050502090300--
-
To unsubscribe from this list: send the line "unsubscribe linux-config" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: Re[2]: SSH allow only form selected IP"

One very effective way that I have found to do this is to use the
'hosts.allow' file located at /etc/hosts.allow

Openssh uses this to restrict or allow access to the server from IP,
host names, etc. Keep in mind that using this method can restrict
access to the server using ANY method. To retrict only SSH you must
them also ALLOW all other system methods.

For instance, to block access to the server from any IP except
216.12.214.217, but allow all IP's to access the server using ftp,
use this syntax:

-------------------------------

ALL : 216.12.214.217 : ALLOW

vsftpd : ALL

ALL : ALL : DENY

--------------------------------

basically, this says, allow 216.12.214.217 access of any kind. Allow
anyone to access using VSFTP. Deny all others.

One other important note: hosts.allow only blocks or allows access
to system services such as SSH, FTP, HTTPD, etc. This will not
restrict access to a non-standard service such as a game server or
chat software running on port 10000.

Luke


>>>
>>>i have a redhat enterprise 3 linux box, how can i configure SSH
>>> demon
>>>only to allow SSH connections only form selected IP's ?
>>>
>>>i have 3 IP rangers that i need to allow, how can i do this ?
>>>
>>>thanks a lot
>>>Kev
>>
>>>
>>Use your firewall rules. Something like:
>>
>>iptables -A INPUT -p tcp -m state --state NEW,ESTABLISHED -s
>>192.168.0.0/24 --dport 22 -j ACCEPT
>>iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -d
>>192.168.0.0/24 --sport 22 -j ACCEPT
>>
>>Where 192.168.0.0/24 is the range you are allowing.
>
> anyway i can do this with the SSH config ?
>
> i can use the iptabel rules for 2-3 IP rangers ?
>
> -------
> Web Hosting at a cheap price, starting at $1 per month with your
own domain, .COM, .NET, .LK, .ORG etc..
> PHP, CGI, Perl, MySQL, Cpanel 9, POP3, POP3s, SMTP, IMAP, FTP,
> http://www.orbitsl.net
>
> -
> To unsubscribe from this list: send the line "unsubscribe
> linux-admin" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>



-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Re[2]: SSH allow only form selected IP"

>>
>>anyway i can do this with the SSH config ?
>>
>>i can use the iptabel rules for 2-3 IP rangers ?
>>
>>
>Have a read of:
>http://www.oreilly.com/catalog/sshtdg/chapter/ch08.html#457 75
>
>The firewall rules yes you can do more than one subnet:
>
>iptables -A INPUT -p tcp -m state --state NEW,ESTABLISHED -s
>192.168.0.0/24 --dport 22 -j ACCEPT
>iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -d
>192.168.0.0/24 --sport 22 -j ACCEPT
>
>iptables -A INPUT -p tcp -m state --state NEW,ESTABLISHED -s
>10.0.0.0/24 --dport 22 -j ACCEPT
>iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -d
>10.0.0.0/24 --sport 22 -j ACCEPT
>

thanks a lot James, its working fine.... thanks for the help.


-------
Web Hosting at a cheap price, starting at $1 per month with your own domain, .COM, .NET, .LK, .ORG etc..
PHP, CGI, Perl, MySQL, Cpanel 9, POP3, POP3s, SMTP, IMAP, FTP,
http://www.orbitsl.net

-
To unsubscribe from this list: send the line "unsubscribe linux-config" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: SSH allow only form selected IP"

This is a cryptographically signed message in MIME format.

--------------ms050808000304040404030501
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

luke@techfreak.org wrote:

>One very effective way that I have found to do this is to use the
>'hosts.allow' file located at /etc/hosts.allow
>
>
>
hosts.allow is NOT secure. You can easily spoof the IP addresses
contained within it. You should not use it.

Regards

James


--------------ms050808000304040404030501
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEH AQAAoIIH+TCC
AlcwggHAoAMCAQICAwxcXDANBgkqhkiG9w0BAQQFADBiMQswCQYDVQQGEwJa QTElMCMGA1UE
ChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhh d3RlIFBlcnNv
bmFsIEZyZWVtYWlsIElzc3VpbmcgQ0EwHhcNMDQwNTIyMDYxNTI4WhcNMDUw NTIyMDYxNTI4
WjBJMR8wHQYDVQQDExZUaGF3dGUgRnJlZW1haWwgTWVtYmVyMSYwJAYJKoZI hvcNAQkBFhdq
YW1lc0Bsb3ZlZHRoYW5sb3N0Lm5ldDCBnzANBgkqhkiG9w0BAQEFAAOBjQAw gYkCgYEAx2v2
vUgZ5zogSrElx4VilKyCm0yfHJ3Mqe4CSp/7VlfTgwonPqU12B00fmamXeM1 txF/QxgGXI38
Kwf3iS2aVy9VSL1ckNlcfQEHJt7+4UdKeEttL8Z65BXxPCL6+s1ll2YZ23pi QRPkV5iDirIZ
k3PbKIz7TVLGzg1QgV6NYlUCAwEAAaM0MDIwIgYDVR0RBBswGYEXamFtZXNA bG92ZWR0aGFu
bG9zdC5uZXQwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQQFAAOBgQDCVRZx Hh7SMS0t+OJ9
rehq9WFgj+5Fv4EsYM+riXx8tqGwBDGHK0e/+/9UIOl2WsVReAGTktz48ilb uMhXAps2ojF+
EgEzmmk/HRkrk9mT0fZw4WEj6LmESKatKkyE7+FmcZEdnVwsHQ3bbSSCSoNL +1L4v2Ncr4kW
vBMAslVo/zCCAlcwggHAoAMCAQICAwxcXDANBgkqhkiG9w0BAQQFADBiMQsw CQYDVQQGEwJa
QTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoG A1UEAxMjVGhh
d3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0EwHhcNMDQwNTIyMDYx NTI4WhcNMDUw
NTIyMDYxNTI4WjBJMR8wHQYDVQQDExZUaGF3dGUgRnJlZW1haWwgTWVtYmVy MSYwJAYJKoZI
hvcNAQkBFhdqYW1lc0Bsb3ZlZHRoYW5sb3N0Lm5ldDCBnzANBgkqhkiG9w0B AQEFAAOBjQAw
gYkCgYEAx2v2vUgZ5zogSrElx4VilKyCm0yfHJ3Mqe4CSp/7VlfTgwonPqU1 2B00fmamXeM1
txF/QxgGXI38Kwf3iS2aVy9VSL1ckNlcfQEHJt7+4UdKeEttL8Z65BXxPCL6 +s1ll2YZ23pi
QRPkV5iDirIZk3PbKIz7TVLGzg1QgV6NYlUCAwEAAaM0MDIwIgYDVR0RBBsw GYEXamFtZXNA
bG92ZWR0aGFubG9zdC5uZXQwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQQF AAOBgQDCVRZx
Hh7SMS0t+OJ9rehq9WFgj+5Fv4EsYM+riXx8tqGwBDGHK0e/+/9UIOl2WsVR eAGTktz48ilb
uMhXAps2ojF+EgEzmmk/HRkrk9mT0fZw4WEj6LmESKatKkyE7+FmcZEdnVws HQ3bbSSCSoNL
+1L4v2Ncr4kWvBMAslVo/zCCAz8wggKooAMCAQICAQ0wDQYJKoZIhvcNAQEF BQAwgdExCzAJ
BgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNh cGUgVG93bjEa
MBgGA1UEChMRVGhhd3RlIENvbnN1bHRpbmcxKDAmBgNVBAsTH0NlcnRpZmlj YXRpb24gU2Vy
dmljZXMgRGl2aXNpb24xJDAiBgNVBAMTG1RoYXd0ZSBQZXJzb25hbCBGcmVl bWFpbCBDQTEr
MCkGCSqGSIb3DQEJARYccGVyc29uYWwtZnJlZW1haWxAdGhhd3RlLmNvbTAe Fw0wMzA3MTcw
MDAwMDBaFw0xMzA3MTYyMzU5NTlaMGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQK ExxUaGF3dGUg
Q29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29u YWwgRnJlZW1h
aWwgSXNzdWluZyBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxKY8 VXNV+065ypla
HmjAdQRwnd/p/6Me7L3N9VvyGna9fww6YfK/Uc4B1OVQCjDXAmNaLIkVcI7d yfArhVqqP3FW
y688Cwfn8R+RNiQqE88r1fOCdz0Dviv+uxg+B79AgAJk16emu59l0cUqVIUP SAR/p7bRPGEE
QB5kGXJgt/sCAwEAAaOBlDCBkTASBgNVHRMBAf8ECDAGAQH/AgEAMEMGA1Ud HwQ8MDowOKA2
oDSGMmh0dHA6Ly9jcmwudGhhd3RlLmNvbS9UaGF3dGVQZXJzb25hbEZyZWVt YWlsQ0EuY3Js
MAsGA1UdDwQEAwIBBjApBgNVHREEIjAgpB4wHDEaMBgGA1UEAxMRUHJpdmF0 ZUxhYmVsMi0x
MzgwDQYJKoZIhvcNAQEFBQADgYEASIzRUIPqCy7MDaNmrGcPf6+svsIXoUOW lJ1/TCG4+DYf
qi2fNi/A9BxQIJNwPP2t4WFiw9k6GX6EsZkbAMUaC4J0niVQlGLH2ydxVyWN 3amcOY6MIE9l
X5Xa9/eH1sYITq726jTlEBpbNU1341YheILcIRk13iSx0x1G/11fZU8xggK6 MIICtgIBATBp
MGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAo UHR5KSBMdGQu
MSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBD QQIDDFxcMAkG
BSsOAwIaBQCgggGnMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZI hvcNAQkFMQ8X
DTA0MDgxNTEyNTg1OFowIwYJKoZIhvcNAQkEMRYEFGC3GeRZhiMAWCWJthzy ItmEq8DgMFIG
CSqGSIb3DQEJDzFFMEMwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0G CCqGSIb3DQMC
AgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMHgGCSsGAQQBgjcQBDFrMGkw YjELMAkGA1UE
BhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4x LDAqBgNVBAMT
I1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBAgMMXFwwegYL KoZIhvcNAQkQ
Agsxa6BpMGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3Vs dGluZyAoUHR5
KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNz dWluZyBDQQID
DFxcMA0GCSqGSIb3DQEBAQUABIGAD5oB08HN3Mt0oxdljExZw4dvbS18VEaO 8HVEIYqAA//Z
LMXHheGXYeHtHAXid5WxELBCfY65yw4qU913yY8mqAhiZ0SCY76mVNQcG6WI hVvI61XwU48v
1qja2mdyuPox7JCo5iQq0loFlvOdXxpRlF9gkNQGYabaTZcnFLnEP+cAAAAA AAA=
--------------ms050808000304040404030501--
-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Re[2]: SSH allow only form selected IP"

>hosts.allow is NOT secure. You can easily spoof the IP addresses
>contained within it. You should not use it.
>

yeah, i'm using iptabels and its working fine


-------
Web Hosting at a cheap price, starting at $1 per month with your own domain, .COM, .NET, .LK, .ORG etc..
PHP, CGI, Perl, MySQL, Cpanel 9, POP3, POP3s, SMTP, IMAP, FTP,
http://www.orbitsl.net

-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: SSH allow only form selected IP"

I'm definitely not a firewall expert, but isn't it also possible to
get around
IPchains using IP spoofing? From what I know ipchains is only
protected against spoofing by using source address verification.

Or am I way off?

Luke



> luke@techfreak.org wrote:
>
>>One very effective way that I have found to do this is to use the
'hosts.allow' file located at /etc/hosts.allow
> hosts.allow is NOT secure. You can easily spoof the IP addresses
contained within it. You should not use it.
>
> Regards
>
> James
>
>



-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: SSH allow only form selected IP"

This is a cryptographically signed message in MIME format.

--------------ms040401030205010209030402
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

luke@techfreak.org wrote:

>I'm definitely not a firewall expert, but isn't it also possible to
>get around
>IPchains using IP spoofing? From what I know ipchains is only
>protected against spoofing by using source address verification.
>
>Or am I way off?
>
>Luke
>
>
A little off. :) Yes you can spoof iptables but not nearly as easily as
hosts.allow can be spoofed. Hosts.allow's verifications procedures are
considerably less sophisticated than those of iptables.

Regards

James

P.S. Generally Ipchains has been replaced by Iptables.

--------------ms040401030205010209030402
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEH AQAAoIIH+TCC
AlcwggHAoAMCAQICAwxcXDANBgkqhkiG9w0BAQQFADBiMQswCQYDVQQGEwJa QTElMCMGA1UE
ChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhh d3RlIFBlcnNv
bmFsIEZyZWVtYWlsIElzc3VpbmcgQ0EwHhcNMDQwNTIyMDYxNTI4WhcNMDUw NTIyMDYxNTI4
WjBJMR8wHQYDVQQDExZUaGF3dGUgRnJlZW1haWwgTWVtYmVyMSYwJAYJKoZI hvcNAQkBFhdq
YW1lc0Bsb3ZlZHRoYW5sb3N0Lm5ldDCBnzANBgkqhkiG9w0BAQEFAAOBjQAw gYkCgYEAx2v2
vUgZ5zogSrElx4VilKyCm0yfHJ3Mqe4CSp/7VlfTgwonPqU12B00fmamXeM1 txF/QxgGXI38
Kwf3iS2aVy9VSL1ckNlcfQEHJt7+4UdKeEttL8Z65BXxPCL6+s1ll2YZ23pi QRPkV5iDirIZ
k3PbKIz7TVLGzg1QgV6NYlUCAwEAAaM0MDIwIgYDVR0RBBswGYEXamFtZXNA bG92ZWR0aGFu
bG9zdC5uZXQwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQQFAAOBgQDCVRZx Hh7SMS0t+OJ9
rehq9WFgj+5Fv4EsYM+riXx8tqGwBDGHK0e/+/9UIOl2WsVReAGTktz48ilb uMhXAps2ojF+
EgEzmmk/HRkrk9mT0fZw4WEj6LmESKatKkyE7+FmcZEdnVwsHQ3bbSSCSoNL +1L4v2Ncr4kW
vBMAslVo/zCCAlcwggHAoAMCAQICAwxcXDANBgkqhkiG9w0BAQQFADBiMQsw CQYDVQQGEwJa
QTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoG A1UEAxMjVGhh
d3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0EwHhcNMDQwNTIyMDYx NTI4WhcNMDUw
NTIyMDYxNTI4WjBJMR8wHQYDVQQDExZUaGF3dGUgRnJlZW1haWwgTWVtYmVy MSYwJAYJKoZI
hvcNAQkBFhdqYW1lc0Bsb3ZlZHRoYW5sb3N0Lm5ldDCBnzANBgkqhkiG9w0B AQEFAAOBjQAw
gYkCgYEAx2v2vUgZ5zogSrElx4VilKyCm0yfHJ3Mqe4CSp/7VlfTgwonPqU1 2B00fmamXeM1
txF/QxgGXI38Kwf3iS2aVy9VSL1ckNlcfQEHJt7+4UdKeEttL8Z65BXxPCL6 +s1ll2YZ23pi
QRPkV5iDirIZk3PbKIz7TVLGzg1QgV6NYlUCAwEAAaM0MDIwIgYDVR0RBBsw GYEXamFtZXNA
bG92ZWR0aGFubG9zdC5uZXQwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQQF AAOBgQDCVRZx
Hh7SMS0t+OJ9rehq9WFgj+5Fv4EsYM+riXx8tqGwBDGHK0e/+/9UIOl2WsVR eAGTktz48ilb
uMhXAps2ojF+EgEzmmk/HRkrk9mT0fZw4WEj6LmESKatKkyE7+FmcZEdnVws HQ3bbSSCSoNL
+1L4v2Ncr4kWvBMAslVo/zCCAz8wggKooAMCAQICAQ0wDQYJKoZIhvcNAQEF BQAwgdExCzAJ
BgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNh cGUgVG93bjEa
MBgGA1UEChMRVGhhd3RlIENvbnN1bHRpbmcxKDAmBgNVBAsTH0NlcnRpZmlj YXRpb24gU2Vy
dmljZXMgRGl2aXNpb24xJDAiBgNVBAMTG1RoYXd0ZSBQZXJzb25hbCBGcmVl bWFpbCBDQTEr
MCkGCSqGSIb3DQEJARYccGVyc29uYWwtZnJlZW1haWxAdGhhd3RlLmNvbTAe Fw0wMzA3MTcw
MDAwMDBaFw0xMzA3MTYyMzU5NTlaMGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQK ExxUaGF3dGUg
Q29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29u YWwgRnJlZW1h
aWwgSXNzdWluZyBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxKY8 VXNV+065ypla
HmjAdQRwnd/p/6Me7L3N9VvyGna9fww6YfK/Uc4B1OVQCjDXAmNaLIkVcI7d yfArhVqqP3FW
y688Cwfn8R+RNiQqE88r1fOCdz0Dviv+uxg+B79AgAJk16emu59l0cUqVIUP SAR/p7bRPGEE
QB5kGXJgt/sCAwEAAaOBlDCBkTASBgNVHRMBAf8ECDAGAQH/AgEAMEMGA1Ud HwQ8MDowOKA2
oDSGMmh0dHA6Ly9jcmwudGhhd3RlLmNvbS9UaGF3dGVQZXJzb25hbEZyZWVt YWlsQ0EuY3Js
MAsGA1UdDwQEAwIBBjApBgNVHREEIjAgpB4wHDEaMBgGA1UEAxMRUHJpdmF0 ZUxhYmVsMi0x
MzgwDQYJKoZIhvcNAQEFBQADgYEASIzRUIPqCy7MDaNmrGcPf6+svsIXoUOW lJ1/TCG4+DYf
qi2fNi/A9BxQIJNwPP2t4WFiw9k6GX6EsZkbAMUaC4J0niVQlGLH2ydxVyWN 3amcOY6MIE9l
X5Xa9/eH1sYITq726jTlEBpbNU1341YheILcIRk13iSx0x1G/11fZU8xggK6 MIICtgIBATBp
MGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAo UHR5KSBMdGQu
MSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBD QQIDDFxcMAkG
BSsOAwIaBQCgggGnMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZI hvcNAQkFMQ8X
DTA0MDgxNjExMjM0OVowIwYJKoZIhvcNAQkEMRYEFAR+XWDTLfUm+kf33ija z77PNw3/MFIG
CSqGSIb3DQEJDzFFMEMwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0G CCqGSIb3DQMC
AgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMHgGCSsGAQQBgjcQBDFrMGkw YjELMAkGA1UE
BhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4x LDAqBgNVBAMT
I1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBAgMMXFwwegYL KoZIhvcNAQkQ
Agsxa6BpMGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3Vs dGluZyAoUHR5
KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNz dWluZyBDQQID
DFxcMA0GCSqGSIb3DQEBAQUABIGAKnob3fe6iaxZxWMsvhNw2JiWbKtJLw2J ds4hGIZlv0Ju
QJo6NkUR34UDOw0rwA/vQaRMKxJJ/I1BpFPBS4ArvnWDPE8bHOzNgpUB9DQQ vcDFzcqbD2tX
liu4BagTOqCM/Yi2/I+Xs++ktVFJZIzKMuEsxvTfywdj+2EdhDxRQOIAAAAA AAA=
--------------ms040401030205010209030402--
-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Re[2]: SSH allow only form selected IP"

>
>>I'm definitely not a firewall expert, but isn't it also possible to
>>get around
>>IPchains using IP spoofing? From what I know ipchains is only
>>protected against spoofing by using source address verification.
>>
>>Or am I way off?
>>
>>Luke
>>
>>
>A little off. :) Yes you can spoof iptables but not nearly as easily as
>hosts.allow can be spoofed. Hosts.allow's verifications procedures are
>considerably less sophisticated than those of iptables.
>
>Regards
>
>James
>
>P.S. Generally Ipchains has been replaced by Iptables.


I did both, i blocked IP's with iptbels and i also configured SSH Demean
to only allow connections form given IP's

my server was down like 2-3 times a week due to DDOS attach or some one
running a attach on my SSH, now the server seem to be running fine.

oh yeah and i also blocked all ICMP communication and only allowed form
my IP only :)


-------
Web Hosting at a cheap price, starting at $1 per month with your own domain, .COM, .NET, .LK, .ORG etc..
PHP, CGI, Perl, MySQL, Cpanel 9, POP3, POP3s, SMTP, IMAP, FTP,
http://www.orbitsl.net

-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

VPN question

Hello,

Right now when we use the VPN each of our computers needs a unique
external IP-address to communicate with the server.

To overcome the problem of having a few external IP addresses,
I was wondering if there's any software that would map all client's
external IP addresses to one unique IP address and communicate with the
server through another software that would "decrpyt" the unique IP address
into individual ones.

Regards,
Tony Gogoi
-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: VPN question

Obvious first question is: why is it a problem?
----- Original Message -----
From: "Tony Gogoi"
To:
Sent: Monday, August 16, 2004 12:30 PM
Subject: VPN question


>
> Hello,
>
> Right now when we use the VPN each of our computers needs a unique
> external IP-address to communicate with the server.
>
> To overcome the problem of having a few external IP addresses,
> I was wondering if there's any software that would map all client's
> external IP addresses to one unique IP address and communicate with the
> server through another software that would "decrpyt" the unique IP address
> into individual ones.
>
> Regards,
> Tony Gogoi
> -
> To unsubscribe from this list: send the line "unsubscribe linux-admin" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html

-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: VPN question

Hi Adam,

I'm not too familiar with VPNs.

But our PC's sit on a LAN behind a firewall. A few PC's are VPN clients.
Right now we have configured our firewall to map VPN clients on the
private LAN to static external IP addresses. The rest of the PC's on the
LAN are mapped to a single IP address. We are running out of external IP
addresses. Was wondering if there was a way out instead of having to buy
more IP addresses.

So, i was wondering if there's a set up that could make our PC's connect
to some sort of VPN server at our end which would act as a gateway to the
actual server located far away.

Regards,
Tony

On Mon, 16 Aug 2004, Adam Lang wrote:

> Obvious first question is: why is it a problem?
> ----- Original Message -----
> From: "Tony Gogoi"
> To:
> Sent: Monday, August 16, 2004 12:30 PM
> Subject: VPN question
>
>
> >
> > Hello,
> >
> > Right now when we use the VPN each of our computers needs a unique
> > external IP-address to communicate with the server.
> >
> > To overcome the problem of having a few external IP addresses,
> > I was wondering if there's any software that would map all client's
> > external IP addresses to one unique IP address and communicate with the
> > server through another software that would "decrpyt" the unique IP address
> > into individual ones.
> >
> > Regards,
> > Tony Gogoi
> > -
> > To unsubscribe from this list: send the line "unsubscribe linux-admin" in
> > the body of a message to majordomo@vger.kernel.org
> > More majordomo info at http://vger.kernel.org/majordomo-info.html
>
> -
> To unsubscribe from this list: send the line "unsubscribe linux-admin" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>



Tony Gogoi
-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: VPN question

Ok, so you are CLIENTS connecting to a VPN server. That whole scenario you
were speaking of is called NAT (private ip addresses are mapped to a single
public ip address. The router/firewall keeps track of the connections).

That is not the problem though. The issue is that some encryption
technologies do not allow the connections to be NATed because your data
packets are "mangled" to achieve this, and the encryption protocol requires
packets to be unmodified so as to verify integrity.

You have two options. The first option is to get the people hosting the VPN
server to change what they are doing into somethign more NAT friendly (but
loses a level of security) or work with them to set up a vpn server in your
network that builds a conenction with their vpn server. Then, you set up
info on your routing tables to route over it. This way, you have a single
VPN connection, and all your clients send data over it.

----- Original Message -----
From: "Tony Gogoi"
To: "Adam Lang"
Cc:
Sent: Monday, August 16, 2004 2:50 PM
Subject: Re: VPN question


>
> Hi Adam,
>
> I'm not too familiar with VPNs.
>
> But our PC's sit on a LAN behind a firewall. A few PC's are VPN clients.
> Right now we have configured our firewall to map VPN clients on the
> private LAN to static external IP addresses. The rest of the PC's on the
> LAN are mapped to a single IP address. We are running out of external IP
> addresses. Was wondering if there was a way out instead of having to buy
> more IP addresses.
>
> So, i was wondering if there's a set up that could make our PC's connect
> to some sort of VPN server at our end which would act as a gateway to the
> actual server located far away.
>
> Regards,
> Tony
>
> On Mon, 16 Aug 2004, Adam Lang wrote:
>
> > Obvious first question is: why is it a problem?
> > ----- Original Message -----
> > From: "Tony Gogoi"
> > To:
> > Sent: Monday, August 16, 2004 12:30 PM
> > Subject: VPN question
> >
> >
> > >
> > > Hello,
> > >
> > > Right now when we use the VPN each of our computers needs a unique
> > > external IP-address to communicate with the server.
> > >
> > > To overcome the problem of having a few external IP addresses,
> > > I was wondering if there's any software that would map all client's
> > > external IP addresses to one unique IP address and communicate with
the
> > > server through another software that would "decrpyt" the unique IP
address
> > > into individual ones.
> > >
> > > Regards,
> > > Tony Gogoi
> > > -
> > > To unsubscribe from this list: send the line "unsubscribe linux-admin"
in
> > > the body of a message to majordomo@vger.kernel.org
> > > More majordomo info at http://vger.kernel.org/majordomo-info.html
> >
> > -
> > To unsubscribe from this list: send the line "unsubscribe linux-admin"
in
> > the body of a message to majordomo@vger.kernel.org
> > More majordomo info at http://vger.kernel.org/majordomo-info.html
> >
>
>
>
> Tony Gogoi

-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: VPN question

This is all true, but one thing to check before embarking on this
rather large project is whether your VPN fall into this category of
"cant be NATted VPNs" in the first place.
Of the VPN solutions I've used, only IPSEC minds if the IPs are NATted.
and if I remember correctly, IPSEC minds even if its a one-to-one NAT.

So I'd suggest you simply configure your router/firewall to NAT all
those internal IPs to the same external IP and see if it works, before
starting to set up a more complicated solution.


> Ok, so you are CLIENTS connecting to a VPN server. That whole
> scenario you were speaking of is called NAT (private ip addresses are
> mapped to a single public ip address. The router/firewall keeps
> track of the connections).

> That is not the problem though. The issue is that some encryption
> technologies do not allow the connections to be NATed because your
> data packets are "mangled" to achieve this, and the encryption
> protocol requires packets to be unmodified so as to verify integrity.

> You have two options. The first option is to get the people hosting
> the VPN server to change what they are doing into somethign more NAT
> friendly (but loses a level of security) or work with them to set up
> a vpn server in your network that builds a conenction with their vpn
> server. Then, you set up info on your routing tables to route over
> it. This way, you have a single VPN connection, and all your
> clients send data over it.


----- Original Message ----- From: "Tony Gogoi"
To: "Adam Lang"
Cc:
Sent: Monday, August 16, 2004 2:50 PM
Subject: Re: VPN question


>
> Hi Adam,
>
> I'm not too familiar with VPNs.
>
> But our PC's sit on a LAN behind a firewall. A few PC's are VPN
> clients.
> Right now we have configured our firewall to map VPN clients on the
> private LAN to static external IP addresses. The rest of the PC's on
> the
> LAN are mapped to a single IP address. We are running out of external
> IP
> addresses. Was wondering if there was a way out instead of having to
> buy
> more IP addresses.
>
> So, i was wondering if there's a set up that could make our PC's
> connect
> to some sort of VPN server at our end which would act as a gateway to
> the
> actual server located far away.
>
> Regards,
> Tony
>
> On Mon, 16 Aug 2004, Adam Lang wrote:
>
> > Obvious first question is: why is it a problem?
> > ----- Original Message -----
> > From: "Tony Gogoi"
> > To:
> > Sent: Monday, August 16, 2004 12:30 PM
> > Subject: VPN question
> >
> >
> > >
> > > Hello,
> > >
> > > Right now when we use the VPN each of our computers needs a unique
> > > external IP-address to communicate with the server.
> > >
> > > To overcome the problem of having a few external IP addresses,
> > > I was wondering if there's any software that would map all
> client's
> > > external IP addresses to one unique IP address and communicate
> with
the
> > > server through another software that would "decrpyt" the unique IP
address
> > > into individual ones.
> > >
> > > Regards,
> > > Tony Gogoi
> > > -
> > > To unsubscribe from this list: send the line "unsubscribe linux-
> admin"
in
> > > the body of a message to majordomo@vger.kernel.org
> > > More majordomo info at http://vger.kernel.org/majordomo-info.
> html
> >
> > -
> > To unsubscribe from this list: send the line "unsubscribe linux-
> admin"
in
> > the body of a message to majordomo@vger.kernel.org
> > More majordomo info at http://vger.kernel.org/majordomo-info.html
> >
>
>
>
> Tony Gogoi

-
To unsubscribe from this list: send the line "unsubscribe linux-admin"
in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: VPN question

Exactly. The best solution is to just talk to the VPN people and find out
what their setup is. VPN is a broad and vague term and can mean anything.
----- Original Message -----
From: "urgrue"
To:
Cc: "Tony Gogoi"
Sent: Tuesday, August 17, 2004 4:51 AM
Subject: Re: VPN question


> This is all true, but one thing to check before embarking on this
> rather large project is whether your VPN fall into this category of
> "cant be NATted VPNs" in the first place.
> Of the VPN solutions I've used, only IPSEC minds if the IPs are NATted.
> and if I remember correctly, IPSEC minds even if its a one-to-one NAT.
>
> So I'd suggest you simply configure your router/firewall to NAT all
> those internal IPs to the same external IP and see if it works, before
> starting to set up a more complicated solution.
>
>
> > Ok, so you are CLIENTS connecting to a VPN server. That whole
> > scenario you were speaking of is called NAT (private ip addresses are
> > mapped to a single public ip address. The router/firewall keeps
> > track of the connections).
>
> > That is not the problem though. The issue is that some encryption
> > technologies do not allow the connections to be NATed because your
> > data packets are "mangled" to achieve this, and the encryption
> > protocol requires packets to be unmodified so as to verify integrity.
>
> > You have two options. The first option is to get the people hosting
> > the VPN server to change what they are doing into somethign more NAT
> > friendly (but loses a level of security) or work with them to set up
> > a vpn server in your network that builds a conenction with their vpn
> > server. Then, you set up info on your routing tables to route over
> > it. This way, you have a single VPN connection, and all your
> > clients send data over it.
>
>
> ----- Original Message ----- From: "Tony Gogoi"
> To: "Adam Lang"
> Cc:
> Sent: Monday, August 16, 2004 2:50 PM
> Subject: Re: VPN question
>
>
> >
> > Hi Adam,
> >
> > I'm not too familiar with VPNs.
> >
> > But our PC's sit on a LAN behind a firewall. A few PC's are VPN
> > clients.
> > Right now we have configured our firewall to map VPN clients on the
> > private LAN to static external IP addresses. The rest of the PC's on
> > the
> > LAN are mapped to a single IP address. We are running out of external
> > IP
> > addresses. Was wondering if there was a way out instead of having to
> > buy
> > more IP addresses.
> >
> > So, i was wondering if there's a set up that could make our PC's
> > connect
> > to some sort of VPN server at our end which would act as a gateway to
> > the
> > actual server located far away.
> >
> > Regards,
> > Tony
> >
> > On Mon, 16 Aug 2004, Adam Lang wrote:
> >
> > > Obvious first question is: why is it a problem?
> > > ----- Original Message -----
> > > From: "Tony Gogoi"
> > > To:
> > > Sent: Monday, August 16, 2004 12:30 PM
> > > Subject: VPN question
> > >
> > >
> > > >
> > > > Hello,
> > > >
> > > > Right now when we use the VPN each of our computers needs a unique
> > > > external IP-address to communicate with the server.
> > > >
> > > > To overcome the problem of having a few external IP addresses,
> > > > I was wondering if there's any software that would map all
> > client's
> > > > external IP addresses to one unique IP address and communicate
> > with
> the
> > > > server through another software that would "decrpyt" the unique IP
> address
> > > > into individual ones.
> > > >
> > > > Regards,
> > > > Tony Gogoi
> > > > -
> > > > To unsubscribe from this list: send the line "unsubscribe linux-
> > admin"
> in
> > > > the body of a message to majordomo@vger.kernel.org
> > > > More majordomo info at http://vger.kernel.org/majordomo-info.
> > html
> > >
> > > -
> > > To unsubscribe from this list: send the line "unsubscribe linux-
> > admin"
> in
> > > the body of a message to majordomo@vger.kernel.org
> > > More majordomo info at http://vger.kernel.org/majordomo-info.html
> > >
> >
> >
> >
> > Tony Gogoi
>
> -
> To unsubscribe from this list: send the line "unsubscribe linux-admin"
> in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
> -
> To unsubscribe from this list: send the line "unsubscribe linux-admin" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html

-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: SSH allow only form selected IP"

blocking using iptables is easily the most efficient if you're dealing
with a DDOS situation. It blocks at the kerrnel, so the opening packet
is never accepted and sshd is never called. Any other solution is
likely to require an open connection and a process to deal with things.

I actually can't find a way to get sshd to only allow certain hosts
by IP address. AllowHosts used to work, but seems to be missing fromm
the mosth recent sshd_config format

Kev wrote:

> I did both, i blocked IP's with iptbels and i also configured SSH Demean
> to only allow connections form given IP's
>
> my server was down like 2-3 times a week due to DDOS attach or some one
> running a attach on my SSH, now the server seem to be running fine.
>
> oh yeah and i also blocked all ICMP communication and only allowed form
> my IP only :)

--
Stephen Samuel +1(604)876-0426 samuel@bcgreen.com
http://www.bcgreen.com/~samuel/
Powerful committed communication. Transformation touching
the jewel within each person and bringing it to light.
-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: VPN question

--HcAYCG3uE/tztfnV
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Aug 17, 2004 at 11:51:03AM +0300, urgrue wrote:
> This is all true, but one thing to check before embarking on this=20
> rather large project is whether your VPN fall into this category of=20
> "cant be NATted VPNs" in the first place.
> Of the VPN solutions I've used, only IPSEC minds if the IPs are NATted.=
=20
> and if I remember correctly, IPSEC minds even if its a one-to-one NAT.

IPSec NAT-T works great over NAT devices (can even be double
NAT'ed) and over firewalls. Even Windows XP supports it. Runs over
UDP port 4500 for both IKE and AH/ESP and few firewalls or NAT devices
even blink.

Simple FreeS/WAN - no
Super FreeS/WAN - yes
StrongSWAN - yes
OpenSWAN - yes
KAME - yes
Raccoon - YES!

2.4.x kernel with KLIPS - qualified yes (anything other than simple FS)
2.4.x kernel with IPSec Backport - yes
2.6 kernel - absolutely

All of the above "yes" interoperate (as well as they do without NAT-T)

IPv4 - Yes
IPv6 - No (think about it, why would you need it?)

> So I'd suggest you simply configure your router/firewall to NAT all=20
> those internal IPs to the same external IP and see if it works, before=20
> starting to set up a more complicated solution.

Mike
--=20
Michael H. Warfield | (770) 985-6132 | mhw@WittsEnd.com
/\/\|=3Dmhw=3D|\/\/ | (678) 463-0932 | http://www.wittsend.com/=
mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!

--HcAYCG3uE/tztfnV
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQCVAwUBQSVW8+HJS0bfHdRxAQH1kAP/TkQ10T7Nqq5vX5ydPgXE7dSDvLEH NdfF
0dEdTlPC4qxY3+P/sNNHNJkH1x0GuZlyAKO6c2wYLJJgx55fBUcniI3ALRDU 5kdQ
9OaNv9bYFumI0zapPXYofxIzdZGqoHfN6LSETEudgER3HUDvwnY7ek9k3izt /wIK
pdODtepyC1U=
=HAE2
-----END PGP SIGNATURE-----

--HcAYCG3uE/tztfnV--
-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html