From owner-freebsd-security@FreeBSD.ORG Fri Sep 24 13:22:12 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 92C2716A4CE for ; Fri, 24 Sep 2004 13:22:12 +0000 (GMT) Received: from betty.computinginnovations.com (dsl081-142-072.chi1.dsl.speakeasy.net [64.81.142.72]) by mx1.FreeBSD.org (Postfix) with ESMTP id AABF043D60 for ; Fri, 24 Sep 2004 13:22:11 +0000 (GMT) (envelope-from derek@computinginnovations.com) Received: from p17.computinginnovations.com (dhcp-10-20-30-100.computinginnovations.com [10.20.30.100]) (authenticated bits=0)i8ODM4b2091991; Fri, 24 Sep 2004 08:22:05 -0500 (CDT) Message-Id: <6.0.0.22.2.20040924082209.01f44ae0@mail.computinginnovations.com> X-Sender: derek@mail.computinginnovations.com X-Mailer: QUALCOMM Windows Eudora Version 6.0.0.22 Date: Fri, 24 Sep 2004 08:22:12 -0500 To: terry@mrtux.co.uk, freebsd-security@freebsd.org From: Derek Ragona Mime-Version: 1.0 X-ComputingInnovations-MailScanner-Information: Please contact the ISP for more information X-ComputingInnovations-MailScanner: Found to be clean Content-Type: text/plain; charset="us-ascii"; format=flowed X-Content-Filtered-By: Mailman/MimeDel 2.1.1 Subject: Re:sshd security X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Sep 2004 13:22:12 -0000 I tried to implement a similar scheme in my hosts.allow on a FreeBSD 5.2.1 server. But when I try to test it from an IP outside my LAN, it still allows ssh logins. I even put in a line in hosts.allow to explicitly deny the IP I was ssh'ing from, but it still let me in. The behavior gives the appearance that TCP wrappers are not enabled, and thus the /etc/hosts.allow file is ignored. Is there something I need to do to enable the wrappers in sshd? I saw that there is a compile option for the portable source from openssh.org, so I wonder if there is some compile option that needs to be enabled in make.conf? I have gone through the documentation for sshd_config, sshd, make.conf, etc. but am not finding anything to change. -Derek At 07:37 AM 9/19/2004, Terry wrote: >I had the same problem so i setup up hosts.allow to only allow access from >certain ips i require >This has the affect of killing the connection from any other ip befor >gettign to any login prompt >example below >sshd : localhost : allow >sshd : 192.168.2. : allow >sshd : 82.41.115.213 :allow >sshd : 216.123.248.219 : allow <-- public ip i wish to allow of course i >have changed it >sshd : all : deny > >This then shows in log instead of failed login attempts > >dot.blah.co.uk refused connections: >Sep 17 22:11:55 dlt sshd[35669]: refused connect from >usen-219x113x213x21.ap-US.usen.ad.jp (219.113.213.21) > >Regards Terry > > >_______________________________________________ >freebsd-security@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-security >To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"