Can someone explain how I can block these attempts to negotiate ssh session from the outside of my LAN? That is, I read "connection refused" in the following log (/var/log/messages), but only from the second attempt. What can we say about the first one from 62.211.51.30? It seems to have been accepted because I don't read any "connection refused". In any case my firewall ACCEPT these connection that I want to block. Is "connection refused" the answer from TCPWrapper? And why just on the second attempt? I would like to append a rule is SuSE-Firewall2 to block this attempts. I would appreciate any help, thank you. Fabio De Francesco Feb 22 20:33:00 myhost kernel: SuSE-FW-ACCEPT IN=ppp0 OUT= MAC= SRC=62.211.51.30 DST=xx.xx.xx.xx LEN=40 TOS=0x10 PREC=0x00 TTL=119 ID=47416 PROTO=TCP SPT=63147 DPT=22 WINDOW=53672 RES=0x00 SYN URGP=0 Feb 22 20:33:01 myhost kernel: SuSE-FW-ACCEPT IN=ppp0 OUT= MAC= SRC=212.50.172.114 DST=xx.xx.xx.xx LEN=48 TOS=0x10 PREC=0x00 TTL=107 ID=55846 DF PROTO=TCP SPT=3372 DPT=22 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (020405B401010402) Feb 22 20:33:02 myhost sshd[4686]: refused connect from adsl.212-50-172-114.karoo.KCOM.COM (212.50.172.114) Feb 22 20:33:06 myhost kernel: SuSE-FW-ACCEPT IN=ppp0 OUT= MAC= SRC=212.50.172.114 DST=xx.xx.xx.xx LEN=48 TOS=0x10 PREC=0x00 TTL=107 ID=55854 DF PROTO=TCP SPT=3373 DPT=22 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (020405B401010402) Feb 22 20:33:07 myhost sshd[4687]: refused connect from adsl.212-50-172-114.karoo.KCOM.COM (212.50.172.114) Feb 22 20:33:12 myhost kernel: SuSE-FW-ACCEPT IN=ppp0 OUT= MAC= SRC=212.50.172.114 DST=xx.xx.xx.xx LEN=48 TOS=0x10 PREC=0x00 TTL=107 ID=55872 DF PROTO=TCP SPT=3374 DPT=22 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (020405B401010402) Feb 22 20:33:12 myhost sshd[4688]: refused connect from adsl.212-50-172-114.karoo.KCOM.COM (212.50.172.114)