From owner-freebsd-questions@FreeBSD.ORG Sat May 20 02:58:26 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A072516A41F for ; Sat, 20 May 2006 02:58:26 +0000 (UTC) (envelope-from e.schuele@computer.org) Received: from rwcrmhc13.comcast.net (rwcrmhc13.comcast.net [204.127.192.83]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4837743D46 for ; Sat, 20 May 2006 02:58:25 +0000 (GMT) (envelope-from e.schuele@computer.org) Received: from [192.168.214.215] (c-24-1-232-64.hsd1.tx.comcast.net[24.1.232.64]) by comcast.net (rwcrmhc13) with ESMTP id <20060520025825m1300gmduve>; Sat, 20 May 2006 02:58:25 +0000 Message-ID: <446E85D0.9060804@computer.org> Date: Fri, 19 May 2006 21:58:24 -0500 From: Eric Schuele User-Agent: Thunderbird 1.5.0.2 (X11/20060426) MIME-Version: 1.0 To: jekillen References: <6b8ab79d578aec086fb10590dee29616@prodigy.net> In-Reply-To: <6b8ab79d578aec086fb10590dee29616@prodigy.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-questions Subject: Re: hosts.allow and ssh problem X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 20 May 2006 02:58:26 -0000 jekillen wrote: > Hello all; > I am trying to deny ftp access to my web site from out side. I have two > nics on the server and access it from the inside network via one and > serve to the public on the other. > I tried to write a rule in hosts.allow to deny ftp connections to the > public ip address which has worked. But a side effect is that I can now > not connect from local machines via > ssh. I reverted back to 'ALL : all ; allow' to confirm that that was in > deed why ssh started refusing connections, as it now will accept > connections. I even ssh'd to one machine > and while in that shell, ssh'd to the server and got in to the server > via another machine on the local network. > I am concerned because I have had repeated attempts to login to the > server over ftp from outside. I do all the development and posting from > local > network so there is no reason whatsoever for anyone from the out side to > get ftp access to my site. > How can I do this in hosts.allow? > A few nights ago I noticed odd activity on the router (leds going > bananas) so I did tcpdump on the server and saw a great deal of ftp > activity that didn't look right, from > foreign addresses. I shut the web server and the secondary dns server > down while I dug through Absolute FreeBSD to get some direction. > I can live with ssh refusing local connections but I don't think it > should be that way. > Thanks in advance; > JK > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" > Default to denying everything... and then add rules to allow the few you would like to have access. Here is a snippet from my hosts.allow. sshd : A.B.C.D : allow sshd : SomeHostName : allow sshd : D.E.F.0/255.255.255.0 : allow sshd : H.I.J.0/255.255.255.0 : allow sshd : ALL : deny sendmail : localhost : allow sendmail : ALL : deny cupsd : localhost : allow cupsd : ALL : deny # ftpd does not have tcpwrappers :( # must run via inetd context ftpd : localhost : allow ftpd : A.B.C.D : allow ftpd : ALL : deny # DENY DENY DENY ALL : ALL : deny replace alpha chars with appropriate ip addresses. See 'man hosts.allow' Note that a firewall would be quite helpful as well. But that's another post. HTH, -- Regards, Eric