For xinetd services, that is what /etc/hosts.deny and /etc/hosts.allow does. Some services include the tc_wrappers library on their own and have similar configuration options.
Also look at the manpage for xinetd.conf. The "only from" entry can contain a list of IP addresses.
For ssh, using "AllowUsers" is a good idea because this will also reject attempts against system accounts. The entries can have the form "user@host", which means, local-user @ remote-host. (See PATTERNS in ssh_config man page) You could simply use an IP address for the host or include these hosts in /etc/hosts if they aren't dns resolvable. I think that this would work for key-based authentication as well, because a known-hosts entry would contain the hostname or IP address.
You don't want to only use IP addresses for authentication. The users should also need to enter their username & password or passphrase.
Besides spoofing, imagine if a site has several users behind a NAT router. Each user will have the same IP address out on the internet.
Last edited by jschiwal; 02-14-2008 at 12:40 AM.
|