From owner-freebsd-security@FreeBSD.ORG Fri Sep 24 20:50:40 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B8C8416A4CE for ; Fri, 24 Sep 2004 20:50:40 +0000 (GMT) Received: from dlt.bluelight.org.uk (bluelight.org.uk [80.229.144.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1FA5743D49 for ; Fri, 24 Sep 2004 20:50:40 +0000 (GMT) (envelope-from terry@mrtux.co.uk) Received: from [192.168.2.138] (helo=[127.0.0.1]) by dlt.bluelight.org.uk with esmtp (Exim 4.42 (FreeBSD)) id 1CAx5L-0003WA-T6 for freebsd-security@freebsd.org; Fri, 24 Sep 2004 21:54:31 +0100 Message-ID: <415488AB.2060803@mrtux.co.uk> Date: Fri, 24 Sep 2004 21:50:51 +0100 From: Terry User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.3) Gecko/20040910 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <20040923120103.5DD3116A517@hub.freebsd.org> In-Reply-To: <20040923120103.5DD3116A517@hub.freebsd.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: ssh security X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Sep 2004 20:50:40 -0000 Derek Ragona wrote: >> I tried to implement a similar scheme in my hosts.allow on a FreeBSD >> 5.2.1 server. But when I try to test it from an IP outside my LAN, it >> still allows ssh logins. I even put in a line in hosts.allow to >> explicitly deny the IP I was ssh'ing from, but it still let me in. >> The behavior gives the appearance that TCP wrappers are not enabled, >> and thus the /etc/hosts.allow file is ignored. >> >> Is there something I need to do to enable the wrappers in sshd? I saw >> that there is a compile option for the portable source from >> openssh.org, so I wonder if there is some compile option that needs to >> be enabled in make.conf? >> >> I have gone through the documentation for sshd_config, sshd, >> make.conf, etc. but am not finding anything to change. >> >> -Derek >> >> >> >> At 07:37 AM 9/19/2004, Terry wrote: >> > > >>>> I had the same problem so i setup up hosts.allow to only allow access >>>> from certain ips i require >>>> This has the affect of killing the connection from any other ip befor >>>> gettign to any login prompt >>>> example below >>>> sshd : localhost : allow >>>> sshd : 192.168.2. : allow >>>> sshd : 82.41.115.213 :allow >>>> sshd : 216.123.248.219 : allow <-- public ip i wish to allow of >>>> course i have changed it >>>> sshd : all : deny >>>> >>>> This then shows in log instead of failed login attempts >>>> >>>> dot.blah.co.uk refused connections: >>>> Sep 17 22:11:55 dlt sshd[35669]: refused connect from >>>> usen-219x113x213x21.ap-US.usen.ad.jp (219.113.213.21) >>>> >>>> Regards Terry >>>> >>>> >> >> I read some where the order is important have you tried exactly as i posted only changed ip's to fit your setup ? My freebsd version is 4.10 and i made no other changes i think tcp wrappers are default Terry