Configuring access control with whitelists and TCP Wrappers
We’ve already locked things down pretty well just by requiring that clients authenticate via key exchange, rather than by username and password. When we prohibit password authentication, the bad guys can do brute-force password attacks against us until the cows come home, and it won’t do them any good. (Although, in truth, they’ll just give up as soon as they find that password authentication has been disabled.) For an extra measure of security, we can also set up a couple of access control mechanisms that will allow only certain users, groups, or client machines to log in to an SSH server. These two mechanisms are:
- Whitelists within the
sshd_configfile - TCP Wrappers, via the
/etc/hosts.allowand/etc/hosts.denyfiles
Okay, you’re now saying, But what about firewalls? Isn’t that a third mechanism that we can use? And yeah, you’re right. But, we already covered...
