LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 06-17-2008, 08:36 PM   #1
twlilinux
Member
 
Registered: Jan 2006
Distribution: debian
Posts: 63

Rep: Reputation: 15
my hosts.allow hosts.deny not working


I am under attack by persistent login attempts to my dropbear sshd.

I modified hosts.allow to be my ip address
hosts.deny to be all: all

Then I tried to connect to ssh using a different ip, and I was able to login. And my /var/log/auth.log just keeps on growing with hacking attempts.



-------
My favorite websites:
Buy and sell class notes, old exams, papers, lab reports, admission essays.
Ask and answer Linux questions.
Read free books without walking to the library.

Last edited by twlilinux; 08-15-2008 at 04:38 PM.
 
Old 06-17-2008, 10:10 PM   #2
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora
Posts: 3,935
Blog Entries: 5

Rep: Reputation: Disabled
This only works if a daemon is compiled with tcp wrappers. e.g.:
Code:
$ ldd /usr/sbin/sshd | grep 'libwrap'
        libwrap.so.0 => /usr/lib/libwrap.so.0 (0x0067e000)
Instead, consider using iptables rules to protect your dropbear service.
 
Old 06-17-2008, 10:12 PM   #3
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora
Posts: 3,935
Blog Entries: 5

Rep: Reputation: Disabled
Another option is to use the AllowUsers directive with the form user@host. (Does dropbear support that?)

I don't mean to lecture, but you shouldn't be running services that listen to connections from the 'net if you're not sure how to properly secure them. Is turning off dropbear altogether an option?
 
Old 06-17-2008, 10:49 PM   #4
eggixyz
Member
 
Registered: Apr 2008
Posts: 310

Rep: Reputation: 30
Hey there,

It's primitive but you can also just test from the command line by running tcpd with sshd as its argument. That'll quickly tell you if you have it compiled correctly or not.

Also, how specific is your hosts.allow? Is it ALL for your IP address or is it split up by service? If it's ALL, your sshd probably doesn't support tcp wrappers. If you're splitting by service, there might be an issue in the file.

Another thing you can try is to use lsof (or a similar program) to determine where sshd is running from. It's a long-shot, but if you have more than one sshd on your system it could be that the wrong one is being protected.

No offense meant, just trying to cover all the angles I can see from scanning over the post.

Best wishes,

Mike
 
Old 06-17-2008, 11:39 PM   #5
twlilinux
Member
 
Registered: Jan 2006
Distribution: debian
Posts: 63

Original Poster
Rep: Reputation: 15
alright, ty for your suggestions. Unfortunately, my server is only accessible remotely, and more unfortunately, I'm the only linux admin that I can afford.

I suspect that dropbear may not support tcp wrappers. But I'm not certain. Anyway, I installed openssh and made it listen to a strange port number. Hopefully, that will keep the hackers guessing until tomorrow. I'll try to figure out firewalls and tcp wrappers ... or die(mysql_pun_intended) trying.

-------
My favorite websites:
Buy and sell class notes, old exams, papers, lab reports, admission essays.
Ask and answer Linux questions.
Read free books without walking to the library.

Last edited by twlilinux; 08-15-2008 at 04:38 PM.
 
Old 06-18-2008, 12:15 AM   #6
jschiwal
LQ Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 671Reputation: 671Reputation: 671Reputation: 671Reputation: 671Reputation: 671
Is this an embedded Linux system? If not, I don't see any reason not to use openssl instead.

There are some things you can do to secure ssl further.
  • disable root logins
  • disable password authentication
  • use public key authentication
  • change the port number
  • use "AllowUsers" (which disables all other users & groups)
  • Create your key with a good passphrase
  • Use a "from=" field in authorized_keys.

A passphrase will help protect your private key. A "from=" option in the server's authorized_keys file will prevent logging in from another location even it the private key is lost.
 
Old 06-19-2008, 02:42 AM   #7
jomen
Senior Member
 
Registered: May 2004
Location: Leipzig/Germany
Distribution: Arch
Posts: 1,687

Rep: Reputation: 54
Have you looked into the links I gave you here?
http://www.linuxquestions.org/questi...0/#post3188110
I did not realize that dropbear does not have a config-file - the options are given when it is started (like on the command-line) - usually it is started from /etc/init.d/...
Code:
man dropbear
will tell you more.
You could surely install openssh and replace dropbear by it - but most of it should work just as well.

Was all that not working or not enough? Or just problems configuring dropbear.
Portknocking is another step to make it more difficult for someone to attack or DOS you.

Last edited by jomen; 06-19-2008 at 02:44 AM.
 
Old 06-19-2008, 08:20 AM   #8
twlilinux
Member
 
Registered: Jan 2006
Distribution: debian
Posts: 63

Original Poster
Rep: Reputation: 15
Thanks alot guys, this really helped. I'm no longer getting any spam login attempts. What's more, after I secured sshd, my shell command seemed to work faster too (before this, it took a fraction of a second for anything I type to get through to the terminal. Now it's instantaneous). Cheers!

-------
My favorite websites:
Buy and sell class notes, old exams, papers, lab reports, admission essays.
Ask and answer Linux questions.
Read free books without walking to the library.

Last edited by twlilinux; 08-15-2008 at 04:39 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
can't restrict sshd access through hosts.allow and hosts.deny but was working earlier farhan Linux - Security 4 04-18-2008 08:41 AM
Feisty: hosts.allow hosts.deny not present Thane Ubuntu 1 07-08-2007 02:16 PM
/etc/hosts.deny/hosts.allow have no effect on sshd access bganesh Linux - Security 4 05-04-2006 09:06 PM
hosts.allow & hosts.deny question... jonc Linux - Security 9 03-05-2005 10:41 PM
Adding shell commands to hosts.deny and hosts.allow ridertech Linux - Security 3 12-29-2003 04:52 PM


All times are GMT -5. The time now is 06:16 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration