block putty.exe(ssh) with iptables
 

hi all i want block all ip's that try connect via putty.exe ssh from windows to my server, only need gave permission to ip: 192.168.0.88 to can connect to my server.


NOTE: i need user iptables because i offer internet to all pc's in my lan.

thanks

you can put a rule in /etc/hosts.allow as

sshd: 127. 192.168.0.88

You need 127. in case you want to tryout ssh from the linux machine itself :)

i follow your advice.
 

i followed:

you can put a rule in /etc/hosts.allow as

sshd: 127. 192.168.0.88


i try from 192.168.0.88 and can enter but to try from 192.168.0.49 and too can enter, why?

thanks

That would only work if sshd was run from inetd/xinetd..

If sshd is a standalone daemon, do ps ax | grep sshd to find it's running PID, you will need to make an iptables rule or place a restriction in /etc/ssh/sshd.conf, eg

iptables - I INPUT -i ethx -p tcp --dport 22 -s ! 192.168.0.88 -j REJECT

or in sshd.config..
AllowUsers user1 user2 user3
and make a user just for ssh, eg mgwkptt4@g and use authorized keys
This will allow you to login from anywhere and su to root user..
See man man ssh for details..

shouldn't work that way ....

adding 127. and 192.168.0.88 should allow access to sshd only from these two IPs...

do you have any other entry in your hosts.allow? Something like a

ALL:ALL

You cantry this ... although hosts.allow should work all by itself ...

edit hosts.deny and add

ALL:ALL

This will deny access to all services that are running ... except the ones you have allowed in hosts.allow.

I have sshd running as a standalone daemon and adhereing to hosts.allow.

worked with hosts.allow and hosts.deny
 

worked with hosts.allow and hosts.deny

i add these entry for hosts.deny

ALL:ALL

and tested from .99 and i can enter, and try tested form .49 and i cant

worked, but i have fear not know if is the good way because:
i am chatting to in mirc in Undernet redhat channel.

<jak2000> Fiver: see again please: http://www.linuxquestions.org/questi...76#post1172576
<jak2000> Fiver, now worked.... :)
* DrAgOn0FF has quit IRC (Signed off)
<jak2000> with access.deny
<jak2000> is good way? in hosts.access and hosts.deny ?
<Fiver> no
<Fiver> they will not work for you
<jak2000> Fiver, worked, why not is a good WAY for me?
<Fiver> what version of redhat are you running?
<Fiver> recent versions, including fedora, do not run sshd from xinetd, so hosts.allow and hosts.deny are ignored for that service
* drkhero has quit IRC (Ping timeout)
<jak2000> rh 9
<Fiver> well, if it's working the way you want, that's fine, but hosts.allow and hosts.deny won't affect it
<Fiver> unless you've changed how sshd is run


peter_robb:

i typed:

ps ax | grep sshd

[root@ServerGLN root]# ps ax | grep sshd
1034 ? S 0:00 /usr/sbin/sshd
10743 ? R 0:00 /usr/sbin/sshd
10811 pts/1 S 0:00 grep sshd
[root@ServerGLN root]#



any coments?

I must admit I havn't seen a fedora script ever, so I'd like to know how hosts.allow & .deny get to be involved..

Can then add that to the wiki instructions, (and stop me giving bad advice) ;)

arghhhh hosts.deny
 

my server of email not work because in hosts.deny i have:

ALL:ALL

if i remove these line my email server work, any advice?

of course putty can enter.... from any pc.


thanks

Re: arghhhh hosts.deny
 

First, IMO, the best way to implement your question is through iptable rules. Let the script kiddies of the world attack layer 3 of your firewall (iptables), not layer 7 user applications running behind it. Unless of course, you have no choice (like an e-mail MTA).

With the above in mind... If an application is compiled with tcpwrapper support (like sendmail), then that application will check the hosts.allow/deny files to determine access rules.

With regards to the quoted text above... you added ALL:ALL to hosts.deny. Because of this, you would then need to add each service that you want to grant access to in hosts.allow. Something like:

sendmail: ALL
sshd: 192.168.9.10

Further reading should include: man hosts.allow

There are a couple of examples (mostly closed/mostly open) in this particular man page that should help you meet the goals of your post.

not work....
 

/etc/hosts.deny


#
# hosts.deny This file describes the names of the hosts which are
# *not* allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#
# The portmap line is redundant, but it is left to remind you that
# the new secure portmap uses hosts.deny and hosts.allow. In particular
# you should know that NFS uses portmap!
ALL:ALL
~

/etc/hosts.allow

#
# hosts.allow This file describes the names of the hosts which are
# allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#
sshd: 127. 192.168.0.88
smtp: ALL
pop3: ALL
sendmail: ALL
~


i try check mi email via outlookexpress and say me errors, i put an # in /etc/hosts.deny in the line ALL:ALL and try again check the email and work.....


any advice?

thanks for your time

Everyone please note what the hosts.allow file says - I don't think it's true that /etc/hosts.allow and hosts.deny only affect xinetd under any circumstances. The man page for tcpd says it monitors any services that have a one-to-one mapping onto executable files. Pop3 is likely not the name of the executable file that runs your email server - it is probably pop3d or any number of other things depending on which email server you are running...

jamiguel

can you netstat -lap - to get a list of service that are listening. You will have to give the exact daemonname.

finally i apply these iptable rules
 

iptables -A INPUT -i eth0 -p tcp --dport 22 -s 192.168.0.88 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 22 -s 0/0 -j REJECT


and then: service iptables save


and work good good


Much Thanks