From owner-freebsd-questions@FreeBSD.ORG Sun Mar 19 17:45:39 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0C5B016A41F for ; Sun, 19 Mar 2006 17:45:39 +0000 (UTC) (envelope-from wsantee@gmail.com) Received: from pproxy.gmail.com (pproxy.gmail.com [64.233.166.180]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8609443D45 for ; Sun, 19 Mar 2006 17:45:38 +0000 (GMT) (envelope-from wsantee@gmail.com) Received: by pproxy.gmail.com with SMTP id n25so105936pyg for ; Sun, 19 Mar 2006 09:45:37 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:user-agent:mime-version:to:cc:subject:references:in-reply-to:x-enigmail-version:content-type:content-transfer-encoding; b=l6IfDX9U/s0bWDkAs3xRNg7qGmwvbCsJByCNaenr+5bIJUcyx1HLWrsfpuNjA7XOo3d79qcqmzmsA9r8pu7x/3EktW5M0ioMgBz43NipNkSDqn92ClOPROeEm00YTOOC1fz/jjHcV1BpNOblBtHuazgpXn/UvHn0jqOWb9iwUWY= Received: by 10.35.84.12 with SMTP id m12mr1327909pyl; Sun, 19 Mar 2006 09:45:37 -0800 (PST) Received: from ?10.0.1.3? ( [168.103.224.74]) by mx.gmail.com with ESMTP id x47sm1852015pyc.2006.03.19.09.45.36; Sun, 19 Mar 2006 09:45:37 -0800 (PST) Message-ID: <441D9897.7050409@gmail.com> Date: Sun, 19 Mar 2006 09:44:55 -0800 From: Wes Santee User-Agent: Thunderbird 1.5 (Windows/20051201) MIME-Version: 1.0 To: freebsd@orchid.homeunix.org References: <441CA1F9.20301@chrismaness.com> <5ceb5d550603190128q5f3e46c3o84e4b45236df0883@mail.gmail.com> <441D71FE.2070003@chrismaness.com> <200603191032.21530.gerard@seibercom.net> <441D8695.2000005@orchid.homeunix.org> In-Reply-To: <441D8695.2000005@orchid.homeunix.org> X-Enigmail-Version: 0.94.0.0 Content-Type: text/plain; charset=ISO-8859-2 Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org Subject: Re: hosts.allow ? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Mar 2006 17:45:39 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Karol Kwiatkowski wrote: > Gerard Seibert wrote: >> Chris Maness wrote: >> >>> Also, sshd can't be started in rc.conf, it has to be started in >>> inetd.conf. Make sure you do a /etc/rc.d/inetd restart after you >>> make changes. >> Just out of curiosity, why can 'sshd' not be started from the >> '/etc/rc.conf' file? > > Because Chris wants to limit sshd's connections with 'hosts.allow' > thing. Correct me if I'm wrong but my understanding is that inetd will > start ssh daemon every time new connection is made and that's why it's > not recommended (as written in default hosts.allow file). The > alternative is running sshd as a daemon and limit connections with, > say, pf's overload, max-src-conn and max-src-conn-rate. I'm not sure this is correct. If you read sshd(8), you'll see in the FILES section that sshd will read /etc/hosts.allow and /etc/hosts.deny on its own (i.e. it's compiled/linked with libwrap). Looking at /usr/src/crypto/openssh/Makefile.in for the sshd target verifies this. That's not to say that some work to sshd isn't required to get it to work outside of inetd.conf. After hosts.allow is updated, you may need to send a persistent sshd daemon a HUP to re-read config files, or something along those lines. I'm not familiar with whether or not the functions in libwrap automatically detect changes to the hosts.allow file, or it's read only when the initialize routines in the library are called. Cheers, - -Wes -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) iQIVAwUBRB2Ykorq8W17hxGfAQhLbQ//YUH/5DRkecpzl/EwJvwjv0n7N5T3+wU9 u4nzk8We4RGvChcdic5lIbFZxzZbdPQnm9iICAkqgrwC120yTukyD8eb33Awmrdc CO6FvXnJegvFmf14QONiQRpKj9W6T7RSUq/vhcJJytWSbsYY75JLM7ZEntxp77c6 qQuIYxMpWkopr97xKTw2rGHQbsKW4LxI4ES7U8iAN208F71f9JcFQVB4KiTMdnxD BdZ+XFHATvHX9OlUTuNE18XP5DrqTJ0n1jPlSH3JuhknaVt+WOVEcG7Zpmewgy+w GoZJzNJU5+3uLHVUE3APqbQFaBcIZz4VRYVsW0cYWnluQwJcFNF7xwojApvNbGQ+ ojByLHx1Zo3lWdH50us6Cvddrep5iFF03xNpNDxHKDyIq9QopF00uYGCNBU/j238 B/pEj4XlBgduBUsiL7lgegGi95i2XvfIUSJuVQ2gHdvG+DWiFKpMVhumM5E6gj0G JvKwsfnlBtjzdQ7IeDMrMb0Hlb1x2j4yy7S5xskM/NRcm3dkkVU9kNL9Dwxh5gS0 kA/Sm83hSNaT/Lc11Tqmd2GbQc9jFKhI7l5SM0Camc6ibRK6V2zlMMWWMfT1midQ qw3gYqXqJ3bxLp5ekvfStbJUG760ILABalytPIDDzK+jfnBRgH7tVBx+Gc2yHest ayn1YC28zig= =TMQo -----END PGP SIGNATURE-----