block putty.exe(ssh) with iptables
hi all i want block all ip's that try connect via putty.exe ssh from windows to my server, only need gave permission to ip: 192.168.0.88 to can connect to my server.
NOTE: i need user iptables because i offer internet to all pc's in my lan. thanks |
you can put a rule in /etc/hosts.allow as
sshd: 127. 192.168.0.88 You need 127. in case you want to tryout ssh from the linux machine itself :) |
i follow your advice.
i followed:
you can put a rule in /etc/hosts.allow as sshd: 127. 192.168.0.88 i try from 192.168.0.88 and can enter but to try from 192.168.0.49 and too can enter, why? thanks |
That would only work if sshd was run from inetd/xinetd..
If sshd is a standalone daemon, do ps ax | grep sshd to find it's running PID, you will need to make an iptables rule or place a restriction in /etc/ssh/sshd.conf, eg iptables - I INPUT -i ethx -p tcp --dport 22 -s ! 192.168.0.88 -j REJECT or in sshd.config.. AllowUsers user1 user2 user3 and make a user just for ssh, eg mgwkptt4@g and use authorized keys This will allow you to login from anywhere and su to root user.. See man man ssh for details.. |
shouldn't work that way ....
adding 127. and 192.168.0.88 should allow access to sshd only from these two IPs... do you have any other entry in your hosts.allow? Something like a ALL:ALL You cantry this ... although hosts.allow should work all by itself ... edit hosts.deny and add ALL:ALL This will deny access to all services that are running ... except the ones you have allowed in hosts.allow. |
Quote:
|
worked with hosts.allow and hosts.deny
worked with hosts.allow and hosts.deny
i add these entry for hosts.deny ALL:ALL and tested from .99 and i can enter, and try tested form .49 and i cant worked, but i have fear not know if is the good way because: i am chatting to in mirc in Undernet redhat channel. <jak2000> Fiver: see again please: http://www.linuxquestions.org/questi...76#post1172576 <jak2000> Fiver, now worked.... :) * DrAgOn0FF has quit IRC (Signed off) <jak2000> with access.deny <jak2000> is good way? in hosts.access and hosts.deny ? <Fiver> no <Fiver> they will not work for you <jak2000> Fiver, worked, why not is a good WAY for me? <Fiver> what version of redhat are you running? <Fiver> recent versions, including fedora, do not run sshd from xinetd, so hosts.allow and hosts.deny are ignored for that service * drkhero has quit IRC (Ping timeout) <jak2000> rh 9 <Fiver> well, if it's working the way you want, that's fine, but hosts.allow and hosts.deny won't affect it <Fiver> unless you've changed how sshd is run peter_robb: i typed: ps ax | grep sshd [root@ServerGLN root]# ps ax | grep sshd 1034 ? S 0:00 /usr/sbin/sshd 10743 ? R 0:00 /usr/sbin/sshd 10811 pts/1 S 0:00 grep sshd [root@ServerGLN root]# any coments? |
I must admit I havn't seen a fedora script ever, so I'd like to know how hosts.allow & .deny get to be involved..
Can then add that to the wiki instructions, (and stop me giving bad advice) ;) |
arghhhh hosts.deny
my server of email not work because in hosts.deny i have:
ALL:ALL if i remove these line my email server work, any advice? of course putty can enter.... from any pc. thanks |
Re: arghhhh hosts.deny
Quote:
With the above in mind... If an application is compiled with tcpwrapper support (like sendmail), then that application will check the hosts.allow/deny files to determine access rules. With regards to the quoted text above... you added ALL:ALL to hosts.deny. Because of this, you would then need to add each service that you want to grant access to in hosts.allow. Something like: sendmail: ALL sshd: 192.168.9.10 Further reading should include: man hosts.allow There are a couple of examples (mostly closed/mostly open) in this particular man page that should help you meet the goals of your post. |
not work....
/etc/hosts.deny
# # hosts.deny This file describes the names of the hosts which are # *not* allowed to use the local INET services, as decided # by the '/usr/sbin/tcpd' server. # # The portmap line is redundant, but it is left to remind you that # the new secure portmap uses hosts.deny and hosts.allow. In particular # you should know that NFS uses portmap! ALL:ALL ~ /etc/hosts.allow # # hosts.allow This file describes the names of the hosts which are # allowed to use the local INET services, as decided # by the '/usr/sbin/tcpd' server. # sshd: 127. 192.168.0.88 smtp: ALL pop3: ALL sendmail: ALL ~ i try check mi email via outlookexpress and say me errors, i put an # in /etc/hosts.deny in the line ALL:ALL and try again check the email and work..... any advice? thanks for your time |
Everyone please note what the hosts.allow file says - I don't think it's true that /etc/hosts.allow and hosts.deny only affect xinetd under any circumstances. The man page for tcpd says it monitors any services that have a one-to-one mapping onto executable files. Pop3 is likely not the name of the executable file that runs your email server - it is probably pop3d or any number of other things depending on which email server you are running...
|
jamiguel
can you netstat -lap - to get a list of service that are listening. You will have to give the exact daemonname. |
finally i apply these iptable rules
iptables -A INPUT -i eth0 -p tcp --dport 22 -s 192.168.0.88 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 22 -s 0/0 -j REJECT and then: service iptables save and work good good Much Thanks |
All times are GMT -5. The time now is 02:36 PM. |