LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 04-16-2008, 09:14 AM   #1
farhan
Member
 
Registered: Feb 2003
Distribution: xNIX
Posts: 121

Rep: Reputation: 15
can't restrict sshd access through hosts.allow and hosts.deny but was working earlier


Running ver 8.0.0 (åtta) Slackware 2.4.29
Problem is that I can’t restrict an ip address in hosts.allow and hosts.deny
I typed the following on shell to avoid any illegal characters (which happened couple of time by copying from Windows notepad/Wordpad )

cat /etc/hosts.allow
sshd : a.a.a.a

cat /etc/hosts.deny
sshd : ALL


Sshd is running from
/etc/rc.d/rc.inet2:if [ -x /usr/local/sbin/sshd ]; then
/etc/rc.d/rc.inet2: echo -n " sshd"
/etc/rc.d/rc.inet2: /usr/local/sbin/sshd
/etc/rc.d/rc.inet2:elif [ -x /usr/sbin/sshd ]; then
/etc/rc.d/rc.inet2: echo -n " sshd"
/etc/rc.d/rc.inet2: /usr/sbin/sshd

I rebooted the server(which wasn’t required, restarting the service was enough)
But I can still login to the test server from anywhere.
Earlier server was locked down to few ip addresses on our network, which I changed to sshd : ALL : ALLOW
Then server started to receive so many ssh login attempts in /var/log/messages from various ip addresses
and now I wanted to lock it down again and it is not
Unfortunately I don’t want to use iptables/ipchains


# $OpenBSD: sshd_config,v 1.38 2001/04/15 21:41:29 deraadt Exp $

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin

# This is the sshd server system-wide configuration file. See sshd(8)
# for more information.

Port 22
#Protocol 2,1
#ListenAddress 0.0.0.0
#ListenAddress ::
HostKey /usr/local/etc/ssh_host_key
HostKey /usr/local/etc/ssh_host_rsa_key
HostKey /usr/local/etc/ssh_host_dsa_key
ServerKeyBits 768
LoginGraceTime 9
KeyRegenerationInterval 3600
PermitRootLogin no
#
# Don't read ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
StrictModes yes
X11Forwarding no
X11DisplayOffset 10
PrintMotd yes
#PrintLastLog no
KeepAlive yes

# Logging
SyslogFacility AUTH
LogLevel INFO
#obsoletes QuietMode and FascistLogging

RhostsAuthentication no
#
# For this to work you will also need host keys in /usr/local/etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Logging
SyslogFacility AUTH
LogLevel INFO
#obsoletes QuietMode and FascistLogging

RhostsAuthentication no
#
# For this to work you will also need host keys in /usr/local/etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
#
RSAAuthentication yes

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes
PermitEmptyPasswords no

# Uncomment to disable s/key passwords
#ChallengeResponseAuthentication no

# Uncomment to enable PAM keyboard-interactive authentication
# Warning: enabling this may bypass the setting of 'PasswordAuthentication'
#PAMAuthenticationViaKbdInt yes

# To change Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#AFSTokenPassing no
#KerberosTicketCleanup no

# Kerberos TGT Passing does only work with the AFS kaserver
#KerberosTgtPassing yes

#CheckMail yes
#UseLogin no

MaxStartups 4:30:10
#Banner /etc/issue.net
#ReverseMappingCheck yes

Subsystem sftp /usr/local/libexec/sftp-server


Thanks
 
Old 04-16-2008, 09:33 AM   #2
slackhack
Senior Member
 
Registered: Jun 2004
Distribution: Arch, Debian, Slack
Posts: 1,016

Rep: Reputation: 46
try

sshd : ALL : DENY
 
Old 04-18-2008, 05:58 AM   #3
farhan
Member
 
Registered: Feb 2003
Distribution: xNIX
Posts: 121

Original Poster
Rep: Reputation: 15
I already tried that, and did again but it is still allowing me from everywhere.
 
Old 04-18-2008, 07:40 AM   #4
windowsnot
LQ Newbie
 
Registered: Apr 2008
Location: Boston, MA
Distribution: RHEL4, Fedora 6,7, CentOS 4
Posts: 4

Rep: Reputation: 0
do you have a .rhosts file? that could be the problem...if you do have an rhost file just mv it or delete just to try it out...
 
Old 04-18-2008, 07:41 AM   #5
slackhack
Senior Member
 
Registered: Jun 2004
Distribution: Arch, Debian, Slack
Posts: 1,016

Rep: Reputation: 46
If the hosts.allow and .deny files are set up correctly, afaik it should block access. Can you post the actual complete files? I'm assuming when you write a.a.a.a that is just a replacement here for the actual IP you have in the file?

Btw, unless you specifically have clients that can only use protocol 1 (which these days is probably unlikely) you should uncomment the "Protocol" line (or make new one) and change it to allow only protocol 2. Protocol 1 is insecure. That might even be the problem, I'm not sure if the authentication for protocol 1 bypasses the hosts files. It doesn't seem like it would be able to, but who knows.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
sshd and hosts.deny reggie Linux - Security 2 03-07-2007 09:00 PM
/etc/hosts.deny/hosts.allow have no effect on sshd access bganesh Linux - Security 4 05-04-2006 08:06 PM
Slackware 10.0 and hosts.deny in reguards SSHD Smillie Slackware 10 03-24-2005 10:53 AM
Adding shell commands to hosts.deny and hosts.allow ridertech Linux - Security 3 12-29-2003 03:52 PM
How to restrict only one user can use telnet in /etc/hosts.deny? lzyking Linux - Software 2 02-12-2003 07:19 PM


All times are GMT -5. The time now is 04:24 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration