LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices



Reply
 
Search this Thread
Old 12-31-2007, 05:58 PM   #1
hocheetiong
Member
 
Registered: Jul 2007
Location: Penang , Malaysia.
Distribution: red hat linux
Posts: 133

Rep: Reputation: 15
Smile how to configure SSH to allow or deny specify host(ip address).


hi, /etc/ssh/sshd_config i just only know to configure allow user:

AllowUser user1 user2
AllowUser michael@linuxsystem

How to configure deny from both directive? is it DenyUser directive correct?

If i want only allow or deny Host(ip address), how to configure, what directive?

AllowHost
DenyHost

? is it correct?

Thank you.
 
Old 12-31-2007, 06:17 PM   #2
btmiller
Senior Member
 
Registered: May 2004
Location: In the DC 'burbs
Distribution: Arch, Scientific Linux, Debian, Ubuntu
Posts: 4,158

Rep: Reputation: 328Reputation: 328Reputation: 328Reputation: 328
The AllowUsers and DenyUsers support the user@host syntax and also support wildcards. IIRC, if you have an AllowUsers directive, only users/hosts specified by it will be allowed to connect and all others will be denied by default. The sshd_config and ssh_config man pages have some further info on this subject.
 
Old 01-01-2008, 01:07 AM   #3
samix_119
LQ Newbie
 
Registered: Dec 2006
Posts: 3

Rep: Reputation: 0
Salaam,

just use tcp wrappers!!!

go to the file /etc/hosts.deny and add this entry

sshd: 192.168.0.1/255.255.255.0

if the above does not work then try the same entry without the netmask

sshd: 192.168.0.1


This should God willing block out the ip u wanna block!

Regards

Last edited by samix_119; 01-01-2008 at 01:10 AM.
 
Old 01-01-2008, 02:39 AM   #4
muralee29477
LQ Newbie
 
Registered: Apr 2007
Posts: 11

Rep: Reputation: 0
Hi everybody

you can use iptables or TCP wrappers

but i prefer iptables

it will serve your requirments

good luck
muralee
 
Old 01-01-2008, 06:18 AM   #5
ashwani kumar mishra
LQ Newbie
 
Registered: Nov 2007
Posts: 1

Rep: Reputation: 0
Smile

ssh (SSH client) is a program for logging into a remote
machine and for executing commands on a remote machine. It
is intended to replace rlogin and rsh, and provide secure
encrypted communications between two untrusted hosts over an
insecure network. X11 connections and arbitrary TCP/IP
ports can also be forwarded over the secure channel.




ssh implements the RSA authentication protocol
automatically. The user creates his/her RSA key pair by
running ssh-keygen(1). This stores the private key in
$HOME/.ssh/identity and the public key in
$HOME/.ssh/identity.pub in the user's home directory. The
user should then copy the identity.pub to
$HOME/.ssh/authorized_keys in his/her home directory on the
remote machine (the authorized_keys file corresponds to the
conventional $HOME/.rhosts file, and has one key per line,
though the lines can be very long). After this, the user
can log in without giving the password. RSA authentication
is much more secure than rhosts authentication.



The StrictHostKeyChecking option can be used to
prevent logins to machines whose host key is not known or
has changed.

The options are as follows:

-a Disables forwarding of the authentication agent
connection.

-A Enables forwarding of the authentication agent
connection. This can also be specified on a per-host
basis in a configuration file.
 
Old 01-01-2008, 12:19 PM   #6
Archiviste
LQ Newbie
 
Registered: Jul 2007
Posts: 5

Rep: Reputation: 0
Quote:
Originally Posted by hocheetiong View Post
hi, /etc/ssh/sshd_config i just only know to configure allow user:

AllowUser user1 user2
AllowUser michael@linuxsystem

How to configure deny from both directive? is it DenyUser directive correct?

If i want only allow or deny Host(ip address), how to configure, what directive?

AllowHost
DenyHost

? is it correct?

Thank you.
As mentionned before, tcpwrappers is the way to go:
http://www.clug.org/presentations/se...pwrappers.html

A nice trick once it is installed:

/etc/hosts.deny is checked before /etc/hosts.allow, so you can go

* hosts.deny
ALL : ALL

first, we block everything from everyone,

* hosts.allow
ALL : localhost
sshd: 192.168.0.22
proftpd: 192.168.0.22

which means only 192.168.0.22 on your local network
can access ssh or the proftp server on that machine.

If you don't want to or can't block ALL in hosts.deny (ex. you log in at work from a dynamically-addressed machine like I do), you can use the DenyHosts script (http://denyhosts.sourceforge.net/) to 'automagically' generate the list of denied hosts for you from the /var/log/auth.log file. I know it's available in Ubuntu's package list, otherwise you can get a rpm from the website above.
 
Old 01-01-2008, 03:18 PM   #7
wartstew
Member
 
Registered: Apr 2002
Location: Albuquerque, NM USA
Distribution: Slackware, Ubuntu, Debian, Maemo
Posts: 464

Rep: Reputation: 30
Options for automatically denying brute force attacks

I use a couple of programs (and there are other good ones as well) that automatically manage the blocking and unblocking of hosts based on if they try too many times to guess logins and passwords to common services like ssh and ftp. I found they work very well to eliminate annoying brute force attacks.

The program "blockhosts" works with TCP wrappers (the /etc/hosts.deny and /etc/hosts.allow stuff). I use it on a hacked embedded device I have that is stuck with a 2.4 version kernel.

The program "fail2ban" works with iptables, which means it requires kernel 2.6 with iptables enabled, but is better because it bans IPs at the kernel level, which is probably faster and safer. On my Debian machines, I found "fail2ban" just works out-of-the-box with a default install -- nice.

Check you distribution's repositories for these of Google for the sources if you need to. I had to compile blockhosts myself for my PPC based Linkstation for example.
 
Old 01-02-2008, 12:47 AM   #8
samix_119
LQ Newbie
 
Registered: Dec 2006
Posts: 3

Rep: Reputation: 0
I think iptables is better than tcp wrappers coz it will block the user even before it can reach the application, hence lesser chances of getting cracked.

The sshd daemon should not be overloaded with meaningless blocking and host filtering activities as there are better options like tcp wrappers and iptables that are specifically designed to do this job.
 
Old 01-17-2008, 01:24 PM   #9
sixerjman
Member
 
Registered: Sep 2004
Distribution: Debian Tesing / Unstable
Posts: 166
Blog Entries: 1

Rep: Reputation: 30
I agree with Samix, IPTABLES is the way to go. I use Firestarter (wrapper around IPTABLES) as the firewall and block all access to the SSH port by default, allowing only selected hosts via Firestarter configuration.
 
Old 01-17-2008, 02:40 PM   #10
wartstew
Member
 
Registered: Apr 2002
Location: Albuquerque, NM USA
Distribution: Slackware, Ubuntu, Debian, Maemo
Posts: 464

Rep: Reputation: 30
I too use Firestarter

Yes, Firestarter is a nice X app that not only configures IPTABLES easily, but also give you real-time monitoring of activity. Because it only configures IPTABLES, you don't actually have to have it running all the time if you don't want to for the filtering action of IPTABLES to be working. It only needs to run if you wish to change things, or monitor what is going on.
 
  


Reply

Tags
denyhosts, ssh, tcpwrappers


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
host.deny and host.allow not found satimis Linux - Security 5 08-24-2007 07:38 AM
disable host.allow and deny doronunu Linux - Newbie 6 05-17-2006 05:09 AM
deny ip address with ssh DaWallace Slackware 16 05-31-2005 09:40 PM
How to setup a host.deny and host.allow for SSH? explorer1979 Linux - Security 2 01-31-2005 06:28 PM
How do I deny host? Inexactitude Linux - Security 3 02-22-2004 03:00 PM


All times are GMT -5. The time now is 05:14 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration