I do leave SSH ports open on my box, but I go for the approach of blocking all IPs in hosts.deny and then opening the ranges I am likely to need in hosts.allow. One of the ranges is my mobile operator, so I can always get in to tweak the ranges if I need access from somewhere I haven't thought of. Phil