Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
hi all i want block all ip's that try connect via putty.exe ssh from windows to my server, only need gave permission to ip: 192.168.0.88 to can connect to my server.
NOTE: i need user iptables because i offer internet to all pc's in my lan.
That would only work if sshd was run from inetd/xinetd..
If sshd is a standalone daemon, do ps ax | grep sshd to find it's running PID, you will need to make an iptables rule or place a restriction in /etc/ssh/sshd.conf, eg
or in sshd.config.. AllowUsers user1 user2 user3
and make a user just for ssh, eg mgwkptt4@g and use authorized keys
This will allow you to login from anywhere and su to root user..
See man man ssh for details..
and tested from .99 and i can enter, and try tested form .49 and i cant
worked, but i have fear not know if is the good way because:
i am chatting to in mirc in Undernet redhat channel.
<jak2000> Fiver: see again please: http://www.linuxquestions.org/questi...76#post1172576
<jak2000> Fiver, now worked....
* DrAgOn0FF has quit IRC (Signed off)
<jak2000> with access.deny
<jak2000> is good way? in hosts.access and hosts.deny ?
<Fiver> no
<Fiver> they will not work for you
<jak2000> Fiver, worked, why not is a good WAY for me?
<Fiver> what version of redhat are you running?
<Fiver> recent versions, including fedora, do not run sshd from xinetd, so hosts.allow and hosts.deny are ignored for that service
* drkhero has quit IRC (Ping timeout)
<jak2000> rh 9
<Fiver> well, if it's working the way you want, that's fine, but hosts.allow and hosts.deny won't affect it
<Fiver> unless you've changed how sshd is run
peter_robb:
i typed:
ps ax | grep sshd
[root@ServerGLN root]# ps ax | grep sshd
1034 ? S 0:00 /usr/sbin/sshd
10743 ? R 0:00 /usr/sbin/sshd
10811 pts/1 S 0:00 grep sshd
[root@ServerGLN root]#
Originally posted by jamiguel77 my server of email not work because in hosts.deny i have:
ALL:ALL
if i remove these line my email server work, any advice?
of course putty can enter.... from any pc.
thanks
First, IMO, the best way to implement your question is through iptable rules. Let the script kiddies of the world attack layer 3 of your firewall (iptables), not layer 7 user applications running behind it. Unless of course, you have no choice (like an e-mail MTA).
With the above in mind... If an application is compiled with tcpwrapper support (like sendmail), then that application will check the hosts.allow/deny files to determine access rules.
With regards to the quoted text above... you added ALL:ALL to hosts.deny. Because of this, you would then need to add each service that you want to grant access to in hosts.allow. Something like:
sendmail: ALL
sshd: 192.168.9.10
Further reading should include: man hosts.allow
There are a couple of examples (mostly closed/mostly open) in this particular man page that should help you meet the goals of your post.
#
# hosts.deny This file describes the names of the hosts which are
# *not* allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#
# The portmap line is redundant, but it is left to remind you that
# the new secure portmap uses hosts.deny and hosts.allow. In particular
# you should know that NFS uses portmap!
ALL:ALL
~
/etc/hosts.allow
#
# hosts.allow This file describes the names of the hosts which are
# allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#
sshd: 127. 192.168.0.88
smtp: ALL
pop3: ALL
sendmail: ALL
~
i try check mi email via outlookexpress and say me errors, i put an # in /etc/hosts.deny in the line ALL:ALL and try again check the email and work.....
Everyone please note what the hosts.allow file says - I don't think it's true that /etc/hosts.allow and hosts.deny only affect xinetd under any circumstances. The man page for tcpd says it monitors any services that have a one-to-one mapping onto executable files. Pop3 is likely not the name of the executable file that runs your email server - it is probably pop3d or any number of other things depending on which email server you are running...
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.