On Wed, Mar 26, 2008, jd wrote:
>
>
>On Wed, 26 Mar 2008, Nico Kadel-Garcia wrote:
>
>> On 25 Mar, 09:12, Rob <r...@nothere.com> wrote:
>>
>>> Steve,
>>>
>>> what about using tcp_wrappers as to perform a "route delete" on the offending IP?
>>>
>>> If memory serves, there was a porting of tcp_wrapper for SCO OS5 on a TLS076a
>>> on the FTP site:
>>>
>>> ftp://ftp.sco.com/pub/TLS/tls076a.tcp_wrappers.tar.Z
>>>
>>> Hope this helps!
>>
>> If our faithful here only needs SSH access from a small set of well-
>> maintained sites, that might work well. However, if he has clients who
>> use NAT on their ISP networks (such as AOL, which uses 10.* internal
>> addresses), than the tcp_wrapper will block the NAT and everything
>> behind the NAT server.

We use tcp_wrappers extensively, and absolutely require it when
allowing username/password authentication via SSH. Normally we
only permit authentication via authorized_keys, with good pass
phrases, with tcp_wrappers not restricting sshd access (it's used
for many other services).

>Then perhaps a VPN (such as OpenVPN) is a more appropriate solution for
>remote access, instead of SSH (although SSH can be used over the VPN).

OpenVPN is great -- unless one has high packet loss as it
normally runs with UDP. I particularly like it for Windows users
as it doesn't require that they think much to use it. We
generate a zip file with the configuration files and keys that
they can just drop in the correct place.

Bill
--
INTERNET: bill@celestial.com Bill Campbell; Celestial Software LLC
URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way
FAX: (206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676

Those who cast the vote decide nothing.
Those who count the vote decide everything. (Joseph Stalin)