Date: Fri, 19 May 2006 21:58:24 -0500 From: Eric Schuele <e.schuele@computer.org> To: jekillen <jekillen@prodigy.net> Cc: freebsd-questions <freebsd-questions@freebsd.org> Subject: Re: hosts.allow and ssh problem Message-ID: <446E85D0.9060804@computer.org> In-Reply-To: <6b8ab79d578aec086fb10590dee29616@prodigy.net> References: <6b8ab79d578aec086fb10590dee29616@prodigy.net>
next in thread | previous in thread | raw e-mail | index | archive | help
jekillen wrote: > Hello all; > I am trying to deny ftp access to my web site from out side. I have two > nics on the server and access it from the inside network via one and > serve to the public on the other. > I tried to write a rule in hosts.allow to deny ftp connections to the > public ip address which has worked. But a side effect is that I can now > not connect from local machines via > ssh. I reverted back to 'ALL : all ; allow' to confirm that that was in > deed why ssh started refusing connections, as it now will accept > connections. I even ssh'd to one machine > and while in that shell, ssh'd to the server and got in to the server > via another machine on the local network. > I am concerned because I have had repeated attempts to login to the > server over ftp from outside. I do all the development and posting from > local > network so there is no reason whatsoever for anyone from the out side to > get ftp access to my site. > How can I do this in hosts.allow? > A few nights ago I noticed odd activity on the router (leds going > bananas) so I did tcpdump on the server and saw a great deal of ftp > activity that didn't look right, from > foreign addresses. I shut the web server and the secondary dns server > down while I dug through Absolute FreeBSD to get some direction. > I can live with ssh refusing local connections but I don't think it > should be that way. > Thanks in advance; > JK > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" > Default to denying everything... and then add rules to allow the few you would like to have access. Here is a snippet from my hosts.allow. sshd : A.B.C.D : allow sshd : SomeHostName : allow sshd : D.E.F.0/255.255.255.0 : allow sshd : H.I.J.0/255.255.255.0 : allow sshd : ALL : deny sendmail : localhost : allow sendmail : ALL : deny cupsd : localhost : allow cupsd : ALL : deny # ftpd does not have tcpwrappers :( # must run via inetd context ftpd : localhost : allow ftpd : A.B.C.D : allow ftpd : ALL : deny # DENY DENY DENY ALL : ALL : deny replace alpha chars with appropriate ip addresses. See 'man hosts.allow' Note that a firewall would be quite helpful as well. But that's another post. HTH, -- Regards, Eric
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?446E85D0.9060804>