/etc/hosts.allow can't verify allowed hostname

Dragons Master · 05-03-2006, 04:00 PM

Hey Folks,

I want to allow sshd on my new server only to myself and to my other server (so I could use it to ssh my server whenever i'm not on my home computer), but the server can't verify host name of my other server..

The error is:

Code:

May  3 23:56:39 air362 sshd[30833]: warning: /etc/hosts.allow, line 7: can't verify hostname: getaddrinfo(72-29-76-97.dimenoc.com, AF_INET) failed
May  3 23:56:39 air362 sshd[30833]: refused connect from ::ffff:72.29.76.97 (::ffff:72.29.76.97)

Here my hosts.deny and hosts.allow files:

/etc/hosts.deny

Code:

#
# hosts.deny    This file describes the names of the hosts which are
#               *not* allowed to use the local INET services, as decided
#               by the '/usr/sbin/tcpd' server.
#
# The portmap line is redundant, but it is left to remind you that
# the new secure portmap uses hosts.deny and hosts.allow.  In particular
# you should know that NFS uses portmap!

sshd : ALL

[/b]/etc/hosts.allow[/b]

Code:

#
# hosts.allow   This file describes the names of the hosts which are
#               allowed to use the local INET services, as decided
#               by the '/usr/sbin/tcpd' server.
#

sshd : .bezeqint.net
sshd : .server4you.net
sshd : 88.152.180.70/255.255.255.0
sshd : .dimenoc.com
sshd : 72.29.76.97/255.255.255.0

Can anyone please let me know how can I allow my other server (72.29.76.97 or 72-29-76-97.dimenoc.com) to access the new server?

thanks,
- Ben

Dragons Master · 05-03-2006, 04:06 PM

Ah never mind people I just looked around and I happened to find this /etc/hosts file - I just added there my server IP followed by it's hostname and now it seems to work just fine

thanks a lot everyone

basileus · 05-04-2006, 02:57 AM

A quick tip... I always use

ALL: ALL

in /etc/hosts.deny. That way - if I happen to have unnecessary service running no-one is not allowed to connect to them unless specified in hosts.allow. Of course I have a firewall blocking the traffic also, but just to be sure.

I'd suggest that you also configure your firewall so that it allows new connections to SSH port (22) only from the same hosts you allow in /etc/hosts.allow. I've read in Securing Debian manual that tcpwrappers (which is configured with hosts.allow / deny) is not bulletproof.

Also check "man sshd_config". I always use the "AllowUsers username_1 username_2 ..." directive for extra security. You could also use public keys with a good passphrase for extra security, but that might be an overkill

.

Dragons Master · 05-05-2006, 06:05 AM

Yeah I used ALL : ALL at first but after having trajilion problems accessing my certain services I decided to only block sshd, it's easier for me than to look for all the services I do need (named, httpd, smtpd, etc) and setting their permissions to all..

I will howeve look on the ssh_config man pages - that sounds interesting..

Thanks a bunch!
- Ben