can't restrict sshd access through hosts.allow and hosts.deny but was working earlier
Running ver 8.0.0 (åtta) Slackware 2.4.29
Problem is that I can’t restrict an ip address in hosts.allow and hosts.deny I typed the following on shell to avoid any illegal characters (which happened couple of time by copying from Windows notepad/Wordpad ) cat /etc/hosts.allow sshd : a.a.a.a cat /etc/hosts.deny sshd : ALL Sshd is running from /etc/rc.d/rc.inet2:if [ -x /usr/local/sbin/sshd ]; then /etc/rc.d/rc.inet2: echo -n " sshd" /etc/rc.d/rc.inet2: /usr/local/sbin/sshd /etc/rc.d/rc.inet2:elif [ -x /usr/sbin/sshd ]; then /etc/rc.d/rc.inet2: echo -n " sshd" /etc/rc.d/rc.inet2: /usr/sbin/sshd I rebooted the server(which wasn’t required, restarting the service was enough) But I can still login to the test server from anywhere. Earlier server was locked down to few ip addresses on our network, which I changed to sshd : ALL : ALLOW Then server started to receive so many ssh login attempts in /var/log/messages from various ip addresses and now I wanted to lock it down again and it is not Unfortunately I don’t want to use iptables/ipchains # $OpenBSD: sshd_config,v 1.38 2001/04/15 21:41:29 deraadt Exp $ # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin # This is the sshd server system-wide configuration file. See sshd(8) # for more information. Port 22 #Protocol 2,1 #ListenAddress 0.0.0.0 #ListenAddress :: HostKey /usr/local/etc/ssh_host_key HostKey /usr/local/etc/ssh_host_rsa_key HostKey /usr/local/etc/ssh_host_dsa_key ServerKeyBits 768 LoginGraceTime 9 KeyRegenerationInterval 3600 PermitRootLogin no # # Don't read ~/.rhosts and ~/.shosts files IgnoreRhosts yes # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication #IgnoreUserKnownHosts yes StrictModes yes X11Forwarding no X11DisplayOffset 10 PrintMotd yes #PrintLastLog no KeepAlive yes # Logging SyslogFacility AUTH LogLevel INFO #obsoletes QuietMode and FascistLogging RhostsAuthentication no # # For this to work you will also need host keys in /usr/local/etc/ssh_known_hosts RhostsRSAAuthentication no # similar for protocol version 2 HostbasedAuthentication no # Logging SyslogFacility AUTH LogLevel INFO #obsoletes QuietMode and FascistLogging RhostsAuthentication no # # For this to work you will also need host keys in /usr/local/etc/ssh_known_hosts RhostsRSAAuthentication no # similar for protocol version 2 HostbasedAuthentication no # RSAAuthentication yes # To disable tunneled clear text passwords, change to no here! PasswordAuthentication yes PermitEmptyPasswords no # Uncomment to disable s/key passwords #ChallengeResponseAuthentication no # Uncomment to enable PAM keyboard-interactive authentication # Warning: enabling this may bypass the setting of 'PasswordAuthentication' #PAMAuthenticationViaKbdInt yes # To change Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #AFSTokenPassing no #KerberosTicketCleanup no # Kerberos TGT Passing does only work with the AFS kaserver #KerberosTgtPassing yes #CheckMail yes #UseLogin no MaxStartups 4:30:10 #Banner /etc/issue.net #ReverseMappingCheck yes Subsystem sftp /usr/local/libexec/sftp-server Thanks |
try
sshd : ALL : DENY |
I already tried that, and did again but it is still allowing me from everywhere.
|
do you have a .rhosts file? that could be the problem...if you do have an rhost file just mv it or delete just to try it out...
|
If the hosts.allow and .deny files are set up correctly, afaik it should block access. Can you post the actual complete files? I'm assuming when you write a.a.a.a that is just a replacement here for the actual IP you have in the file?
Btw, unless you specifically have clients that can only use protocol 1 (which these days is probably unlikely) you should uncomment the "Protocol" line (or make new one) and change it to allow only protocol 2. Protocol 1 is insecure. That might even be the problem, I'm not sure if the authentication for protocol 1 bypasses the hosts files. It doesn't seem like it would be able to, but who knows. |
All times are GMT -5. The time now is 11:57 AM. |