# Securing SSH



## Software Info (Oct 2, 2022)

Hi All,
I am trying to secure my SSH Server, restricting by country. I am using a script that gives a different exit status depending on whether or not there is an allow or deny. The instruction says I should use SSHD : ALL : aclexec /path/to/my/script in hosts.allow file. This isn't working. Seems it isn't supported. Does FreeBSD have anything similar or a patch that allows the aclexec option? Thanks for any assistance.


----------



## cmoerz (Oct 2, 2022)

Which instructions are you referring to?

From what I can gather from hosts_access(5)(), there is no aclexec option. Then again, that file seems to support domain wildcards, which should address what you're attempting to do, doesn't it?


----------



## Software Info (Oct 3, 2022)

It may to a very limited extent extent but since I want to block an entire country or countries, I don't think domain wildcards would suffice.


----------



## im (Oct 5, 2022)

Try to use a firewall for blocking something "by country".
It was a thread "ipfw ruleset to block an entire country": 








						Good ipfw ruleset to block an entire country?
					

Is here anybody who can help with that?




					forums.FreeBSD.org
				



Example how to block some country with ipfw: 








						Good ipfw ruleset to block an entire country?
					

Is here anybody who can help with that?




					forums.FreeBSD.org


----------



## Software Info (Oct 17, 2022)

I found a solution for this. I edited the script to add the offending IP's to a PF Firewall table instead. It does what I want now. Not sure if anyone else would need to do something like this but I can post the script if anyone needs it. Thanks so much for the replies though.


----------



## Alucn (Nov 3, 2022)

Software Info said:


> I found a solution for this. I edited the script to add the offending IP's to a PF Firewall table instead. It does what I want now. Not sure if anyone else would need to do something like this but I can post the script if anyone needs it. Thanks so much for the replies though.


Thanks for sharing!


----------

