From owner-freebsd-questions Fri Jan 5 23:32:37 2001 From owner-freebsd-questions@FreeBSD.ORG Fri Jan 5 23:32:35 2001 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from cx587235-a.chnd1.az.home.com (cx587235-a.chnd1.az.home.com [24.11.88.170]) by hub.freebsd.org (Postfix) with ESMTP id 86A3837B400 for ; Fri, 5 Jan 2001 23:32:34 -0800 (PST) Received: from whale.home-net (whale [192.168.1.2]) by cx587235-a.chnd1.az.home.com (8.11.1/8.11.0) with ESMTP id f067WYe54966 for ; Sat, 6 Jan 2001 00:32:34 -0700 (MST) (envelope-from jjreynold@home.com) Received: (from jjreynold@localhost) by whale.home-net (8.11.1/8.11.0) id f067WYG88099; Sat, 6 Jan 2001 00:32:34 -0700 (MST) (envelope-from jjreynold@home.com) From: John Reynolds MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <14934.51729.912996.493818@whale.home-net> Date: Sat, 6 Jan 2001 00:32:33 -0700 To: questions@freebsd.org Subject: /etc/hosts.allow -- sshd a "bad idea"? Why? X-Mailer: VM 6.88 under Emacs 20.7.1 Cc: Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hello all, I was experimenting with /etc/hosts.allow tonight learning how to shut the world out of some services while keeping certain things open to certain "friendly" domains. I thought I'd had everything all setup and working the way I wanted to, then I tried to ssh into the box I was experimenting on from my main workstation. I got this: Bad remote protocol version identification: 'You are not welcome to use sshd from whale. ' which stems from the "default" line near the bottom of /etc/hosts.allow which I left in tact: # The rest of the daemons are protected. ALL : ALL \ : severity auth.info \ : twist /bin/echo "You are not welcome to use %d from %h." I saw the lines which read: # Wrapping sshd(8) is not normally a good idea, but if you # need to do it, here's how #sshd : .evil.cracker.example.com : deny but not knowing exactly what to do (since I run sshd as a daemon not via inetd--or at least I thought) I put the line: sshd : ALL : allow and I was then able to ssh into this machine (from inside my network and outside). Why is this "not normally a good idea"? It seems as if I've had it working this way "forever" on this machine because until tonight, I've had the default /etc/hosts.allow installed which contains the ALL : ALL : allow rule. Can somebody shed some light on this? Thanks, -Jr -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= John Reynolds Chandler Capabilities Engineering, CDS, Intel Corporation jreynold@sedona.ch.intel.com My opinions are mine, not Intel's. Running jjreynold@home.com FreeBSD 4.1.1-STABLE. FreeBSD: The Power to Serve. http://www.reynoldsnet.org/ Come join us!!! @ http://www.FreeBSD.org/ =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message