TCP wrapper "except" option

You are perhaps assuming there is an implicit "default deny": there is not.

ALL EXCEPT 192.168.122.1 simply does not apply to host 192.168.122.1, so subsequent entries are checked.

Assuming you do not have an ancient tcpwrappers (i.e. it supports and was built with -DHOSTS_ACCESS) you should really only use hosts.allow:

sshd: 192.168.122.1 : DENY
sshd: ALL : ALLOW

(Note that default allow is bad practise of course)

Tags:

Linux

Security

Ssh

Tcp Wrappers

Recent Posts