From: Ian Rawlings on 18 Jan 2006 04:41
On 2006-01-17, Nix <nix-razor-pit(a)esperi.org.uk> wrote:
> I sometimes find it useful to reset the router without resetting the
> whole machine.
I use a dedicated firewall machine to hold the ADSL card, in essence
it's a router, but one that runs gentoo. An old, slow machine is
enough, mine is a P2 300MHz which is quick enough to do the job while
also being the place I run any nmap processes when working. I use
SNMPv3 to monitor it, but haven't gotten around to really sorting the
firewalling out yet, it just uses NAT to secure the network at the
Blast off and strike the evil Bydo empire!
From: Martin Gregorie on 22 Jan 2006 15:14
I said I'd wring out the business of restricting access to remote logins
via sshd and report back. This is the report.
The short answer is that using hosts.allow and hosts.deny is the only
ways to restrict access to sshd by an arbitrary client.
I after proving that the hosts.* files do the job and setting them to
reject all access from computers outside my internal domain, I put
public keys from one of them in /etc/ssh/ssh_known_hosts and tried
logging in from that and another computer in the domain. Both were able
to log in.
The description in the sshd manpage for /etc/ssh/shosts.equiv says that
computers listed in this file can't log in as root and will *usually* be
checked against the public keys list, so I did some tests. Hosts with
every possible combination of the presence or absence of its entry in
/etc/ssh/shosts.equiv and /etc/ssh/ssh_known_hosts were able to log in
via ssh as a normal user or as root. In summary, I don't know what these
files are meant to do but whatever it is they don't do it.
Apologies to those who tried to tell me that earlier. I remain baffled
as to why sshd would remotely care about /etc/ssh_known_hosts.
martin@ | Martin Gregorie
org | Zappa fan & glider pilot