From owner-freebsd-security@FreeBSD.ORG Sat Sep 25 20:38:44 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 63C0F16A4CE for ; Sat, 25 Sep 2004 20:38:44 +0000 (GMT) Received: from mail08.syd.optusnet.com.au (mail08.syd.optusnet.com.au [211.29.132.189]) by mx1.FreeBSD.org (Postfix) with ESMTP id C86E043D1F for ; Sat, 25 Sep 2004 20:38:43 +0000 (GMT) (envelope-from PeterJeremy@optushome.com.au) Received: from cirb503493.alcatel.com.au (c211-30-75-229.belrs2.nsw.optusnet.com.au [211.30.75.229]) i8PKcYiJ019499 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Sun, 26 Sep 2004 06:38:36 +1000 Received: from cirb503493.alcatel.com.au (localhost.alcatel.com.au [127.0.0.1])i8PKcYxP008987; Sun, 26 Sep 2004 06:38:34 +1000 (EST) (envelope-from pjeremy@cirb503493.alcatel.com.au) Received: (from pjeremy@localhost)i8PKcXeE008986; Sun, 26 Sep 2004 06:38:33 +1000 (EST) (envelope-from pjeremy) Date: Sun, 26 Sep 2004 06:38:33 +1000 From: Peter Jeremy To: Derek Ragona Message-ID: <20040925203833.GG83620@cirb503493.alcatel.com.au> References: <6.0.0.22.2.20040924082209.01f44ae0@mail.computinginnovations.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <6.0.0.22.2.20040924082209.01f44ae0@mail.computinginnovations.com> User-Agent: Mutt/1.4.2i cc: freebsd-security@freebsd.org Subject: Re: sshd security X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 25 Sep 2004 20:38:44 -0000 On Fri, 2004-Sep-24 08:22:12 -0500, Derek Ragona wrote: >I tried to implement a similar scheme in my hosts.allow on a FreeBSD 5.2.1 >server. But when I try to test it from an IP outside my LAN, it still >allows ssh logins. I even put in a line in hosts.allow to explicitly deny >the IP I was ssh'ing from, but it still let me in. The behavior gives the >appearance that TCP wrappers are not enabled, and thus the /etc/hosts.allow >file is ignored. > >Is there something I need to do to enable the wrappers in sshd? I saw that >there is a compile option for the portable source from openssh.org, so I >wonder if there is some compile option that needs to be enabled in >make.conf? Depending on how TCP wrappers are integrated into SSH, one possibility is that you need /var/empty/etc/hosts.{allow,deny} -- Peter Jeremy