Yes, you simply configure tcp wrappers via the hosts.allow and hosts.deny files. The syntax is very simple.
The typical setup is to deny access to everyone listed in the /etc/hosts.deny file. (This example shows both ssh1 and ssh2.)
sshd1: ALL
sshd2: ALL
sshdfwd-X11 : ALL
or simply
ALL: ALL
And then allow access only to trusted clients in the /etc/hosts.allow:
sshd1 : trusted_client_IP_or_hostname
sshd2 : .ssh.com foo.bar.fi
sshdfwd-X11 : .ssh.com foo.bar.fi
Based on the /etc/hosts.allow file above, users coming from any host in the ssh.com domain or from the host foo.bar.fi are allowed to access services.
Note that wrappers work for not just ssh, but any tcp service that is running and accepting connections. So be sure that you understand the syntax in that it's daemon : host. This means that if you do something like ALL : ALL it means all tcp services are impacted (well, all local INET services defined by tcpd), not just ssh.
Reply With Quote