can't restrict sshd access through hosts.allow and hosts.deny but was working earlier
 

Running ver 8.0.0 (åtta) Slackware 2.4.29
Problem is that I can’t restrict an ip address in hosts.allow and hosts.deny
I typed the following on shell to avoid any illegal characters (which happened couple of time by copying from Windows notepad/Wordpad )

cat /etc/hosts.allow
sshd : a.a.a.a

cat /etc/hosts.deny
sshd : ALL


Sshd is running from
/etc/rc.d/rc.inet2:if [ -x /usr/local/sbin/sshd ]; then
/etc/rc.d/rc.inet2: echo -n " sshd"
/etc/rc.d/rc.inet2: /usr/local/sbin/sshd
/etc/rc.d/rc.inet2:elif [ -x /usr/sbin/sshd ]; then
/etc/rc.d/rc.inet2: echo -n " sshd"
/etc/rc.d/rc.inet2: /usr/sbin/sshd

I rebooted the server(which wasn’t required, restarting the service was enough)
But I can still login to the test server from anywhere.
Earlier server was locked down to few ip addresses on our network, which I changed to sshd : ALL : ALLOW
Then server started to receive so many ssh login attempts in /var/log/messages from various ip addresses
and now I wanted to lock it down again and it is not
Unfortunately I don’t want to use iptables/ipchains


# $OpenBSD: sshd_config,v 1.38 2001/04/15 21:41:29 deraadt Exp $

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin

# This is the sshd server system-wide configuration file. See sshd(8)
# for more information.

Port 22
#Protocol 2,1
#ListenAddress 0.0.0.0
#ListenAddress ::
HostKey /usr/local/etc/ssh_host_key
HostKey /usr/local/etc/ssh_host_rsa_key
HostKey /usr/local/etc/ssh_host_dsa_key
ServerKeyBits 768
LoginGraceTime 9
KeyRegenerationInterval 3600
PermitRootLogin no
#
# Don't read ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
StrictModes yes
X11Forwarding no
X11DisplayOffset 10
PrintMotd yes
#PrintLastLog no
KeepAlive yes

# Logging
SyslogFacility AUTH
LogLevel INFO
#obsoletes QuietMode and FascistLogging

RhostsAuthentication no
#
# For this to work you will also need host keys in /usr/local/etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Logging
SyslogFacility AUTH
LogLevel INFO
#obsoletes QuietMode and FascistLogging

RhostsAuthentication no
#
# For this to work you will also need host keys in /usr/local/etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
#
RSAAuthentication yes

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes
PermitEmptyPasswords no

# Uncomment to disable s/key passwords
#ChallengeResponseAuthentication no

# Uncomment to enable PAM keyboard-interactive authentication
# Warning: enabling this may bypass the setting of 'PasswordAuthentication'
#PAMAuthenticationViaKbdInt yes

# To change Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#AFSTokenPassing no
#KerberosTicketCleanup no

# Kerberos TGT Passing does only work with the AFS kaserver
#KerberosTgtPassing yes

#CheckMail yes
#UseLogin no

MaxStartups 4:30:10
#Banner /etc/issue.net
#ReverseMappingCheck yes

Subsystem sftp /usr/local/libexec/sftp-server


Thanks

try

sshd : ALL : DENY

I already tried that, and did again but it is still allowing me from everywhere.

do you have a .rhosts file? that could be the problem...if you do have an rhost file just mv it or delete just to try it out...

If the hosts.allow and .deny files are set up correctly, afaik it should block access. Can you post the actual complete files? I'm assuming when you write a.a.a.a that is just a replacement here for the actual IP you have in the file?

Btw, unless you specifically have clients that can only use protocol 1 (which these days is probably unlikely) you should uncomment the "Protocol" line (or make new one) and change it to allow only protocol 2. Protocol 1 is insecure. That might even be the problem, I'm not sure if the authentication for protocol 1 bypasses the hosts files. It doesn't seem like it would be able to, but who knows.