ssh and /etc/hosts.all & deny
 

Hello,
I am running Fedora Core 3 and I'm having issues restricting ssh log in attempts. IT is my understanding that by editing the hosts.allow file & hosts.deny I could limt what IP addresses can access ssh. Here is what I have so far

hosts.allow
sshd : 192.168.1.0/20 xxx.xxx.x.xx

hosts.deny
ALL

So my understanding of this is that it will only allow people that use ssh from my internal LAN and the one IP that is listed. Everyone else is shut off. I restart sshd and it blocks every ssh connection, even the ones on the LAN. Once I comment the lines out ssh works fine. Can anyone tell me what I am doing wrong and also provide a better method to limiting ssh?

TIA

I could be wrong but I think you have the wrong subnet value here. 20 is for a class A/B value I believe. Your choices for Class C is starting with 24 for full subnet up to 255 per IP.

Are you trying the for a whole class C of 192.168.1.0 then try this.
sshd : 192.168.1.0/24
or
sshd:192.168.1. 63.21.45.2
Second part here is defining one single IP also.

Brian1
" Google the Linux way @ http://www.google.com/linux "

Brian1

I have done what you suggested and it still does not prevent me from ssh'ing to the machine from a "not allowed" host. Here is what I have again in allow & deny

allow
sshd:192.168.1., xxx.xxx.xx.xx

deny
ALL

Any more suggestions?

Thanks

Try ALL: ALL in your hosts.deny file.

Brian1
" Google the Linux way @ http://www.google.com/linux "

Brian1

That worked! Thanks.

By the way, is their a way to do this only based on username?

Ok, so this config worked while I was on my LAN, but the remote IP that I have specified in /etc/hosts.allow cannot connect via ssh. Can anyone tell me what I've done wrong?

Should have read the question better. But glad you have it working now.

Is there a router between the remote IP and sshd machine?
If so you will need to open a port and port forward to sshd.

Are there any firewall rules up between the same or even on the sshd machine itself?
If so need to modify to allow. May require either this one or above.

Brian1
" Google the Linux way @ http://www.google.com/linux "

Brian1...

I figured out why I could not connect remotely.... somehow my machine "stalled out," thus not working. I went home, rebooted and got it up and running and it is now accepting the connection from the IP that I want it to and denying other connections! Thanks!

Q:

Is their a way to run this hosts.allow & deny simultaneously with something that will also accept a specific username no matter where I am trying to connect from? meaning ssh will always allow username "tbrady" to be granted access no matter what IP he is connectiong from?

Does this make sense?

I don't think that can be done. I would edit the config in hosts.allow to allow all ip's to sshd. Edit /etc/ssh/ssh_config and add the following.

DenyUsers all
AllowUsers tebucky

Yes this will allow someone to try to login but if they fail as unkown user and password then they can not get in. If iptables is setup, it can log the attempts, but it can accumalate a lot of attempts even in one week. You can make the sshd port 22 act as a stealth port so it will not show up as an open port if someone scans your IP. Hven't done it with iptables but should be easy from what I hear. Pam might help in more security as well.

Also make sure root is not able to login to sshd. One can add a script to block IP blocks as they come if someone tries to sshd your machine but after 3 logins fail it adds a rule to iptables to block access to a whole class C range. Have done it but its been awhile. I currently do not remember how but found the info on the internet. Google around net or search here.

Read up on the man pages for ssh and pam and other files they mention. Lots of examples in them.

Brian1
" Google the Linux way @ http://www.google.com/linux "