On Tue, Jul 22, 2008, D Steward wrote: >On Mon, 2008-07-21 at 17:09 -0500, Tim Nelson wrote: >> When using denyhosts, you'll want to keep your IP's in hosts.allow so even if you're "banned" you can still get access. :-) > >Yup. >Unfortunately, my ISP's plan uses dynamic IPs, so I have to enter >various subnets to stay safe. :( If you do not allow password authentication and use good pass phrases on your identity, the only thing really gained by restricting on IP ranges is restricting the number of reject messages in your log files. The fail2ban program does a nice job of limiting the number of rejection messages in the logs. Another possibility is to set up OpenVPN on your system, which authenticates on ssl certificates and works nicely even from dynamic IPs behind NAT. Then you can ssh into the private LAN behind your firewall via OpenVPN. Bill -- INTERNET: bill at celestial.com Bill Campbell; Celestial Software LLC URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way Voice: (206) 236-1676 Mercer Island, WA 98040-0820 Fax: (206) 232-9186 Foreign aid might be defined as a transfer from poor people in rich countries to rich people in poor countries -- Douglas Casey