hosts.allow vs hosts.deny

[Old_New_Guy]

I have SSH connection only for specific IP's allowed at the router, i.e. all requests for port 22 are blocked except 2 custom services on the router allow SSH from my home and a software vendor's office. Both addresses are in hosts.allow for sshd. If one of these addresses were in hosts.deny which file would control access?

[Lazydog]

I believe allow is read before deny. You should be able to google this.
I prefer to use iptables for this.

[Kloschüssel]

I generally dislike those setups. If - by any chance - ip addresses change (new ISP?) and somebody forgets to update the configuration (or notices the change later or is informed by the ISP too late or simply forgets that specific host) you have successfully firewalled yourself out of your administrator domain.

There is at least one smarter way to secure ssh against bruteforce attacks that I know about: fail2ban

It will monitor the ssh logfiles for failed login attempts and after hitting a treshold (i.e. 3 times) it will firewall the source for 15 minutes.

Of course that helps only if you use one superstrong credential that can't be guessed and multiple ssh keys (my favorite) for employees that shouldn't know the superstrong master credential (and of course are not allowed to change it ).

Cheers