We have used tcp_wrappers for many years that has allowed an extra level of protection by only allowing sshd connections matching a hostname pattern. Simplified example:
# hosts.deny This file describes the names of the hosts which are *not* allowed to use the local INET services, as decided by the '/usr/sbin/tcpd' server.
sshd:ALL
imap:ALL
# hosts.allow This file describes the names of the hosts which are allowed to use the local INET services, as decided by the '/usr/sbin/tcpd' server.
#
ALL: LOCAL,127.0.0.1,192.168.0.0/255.255.0.0,123.45.67.0/255.255.255.0,.foobar.com,.region.isp.com
Is it possible to allow access based on hostname patterns with firewalld or some other Rocky 8/9 tool? tcp_wrappers is extremely simple to configure, and very flexible to allow hostname patterns.
sshd_config has a Match parameter, however it seems that still allows the connection to open (and warns me of failed login attempts). I would prefer it to appear closed so as not to entice future crawlers.
