Date: Fri, 24 Sep 2004 17:02:27 -0500 From: Derek Ragona <derek@computinginnovations.com> To: Terry <terry@mrtux.co.uk>, freebsd-security@freebsd.org Subject: Re: ssh security Message-ID: <6.0.0.22.2.20040924165856.01f551f0@mail.computinginnovations.com> In-Reply-To: <415488AB.2060803@mrtux.co.uk> References: <20040923120103.5DD3116A517@hub.freebsd.org> <415488AB.2060803@mrtux.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
At 03:50 PM 9/24/2004, Terry wrote:
>Derek Ragona wrote:
>
>
>>>I tried to implement a similar scheme in my hosts.allow on a FreeBSD
>>>5.2.1 server. But when I try to test it from an IP outside my LAN, it
>>>still allows ssh logins. I even put in a line in hosts.allow to
>>>explicitly deny the IP I was ssh'ing from, but it still let me in.
>>>The behavior gives the appearance that TCP wrappers are not enabled,
>>>and thus the /etc/hosts.allow file is ignored.
>>>
>>>Is there something I need to do to enable the wrappers in sshd? I saw
>>>that there is a compile option for the portable source from openssh.org,
>>>so I wonder if there is some compile option that needs to be enabled in
>>>make.conf?
>>>I have gone through the documentation for sshd_config, sshd, make.conf,
>>>etc. but am not finding anything to change.
>>>
>>> -Derek
>>>
>>>
>>>
>>>At 07:37 AM 9/19/2004, Terry wrote:
>>
>>
>>>>>I had the same problem so i setup up hosts.allow to only allow access
>>>>>from certain ips i require
>>>>>This has the affect of killing the connection from any other ip befor
>>>>>gettign to any login prompt
>>>>>example below
>>>>>sshd : localhost : allow
>>>>>sshd : 192.168.2. : allow
>>>>>sshd : 82.41.115.213 :allow
>>>>>sshd : 216.123.248.219 : allow <-- public ip i wish to allow of
>>>>>course i have changed it
>>>>>sshd : all : deny
>>>>>
>>>>>This then shows in log instead of failed login attempts
>>>>>
>>>>>dot.blah.co.uk refused connections:
>>>>>Sep 17 22:11:55 dlt sshd[35669]: refused connect from
>>>>>usen-219x113x213x21.ap-US.usen.ad.jp (219.113.213.21)
>>>>>
>>>>>Regards Terry
>>>>>
>>>
>I read some where the order is important have you tried exactly as i
>posted only changed ip's to fit your setup ?
>My freebsd version is 4.10 and i made no other changes i think tcp
>wrappers are default
>Terry
Terry,
I cut and pasted the lines as you had them, and just changed the IP's. I
had one less line originally where your public address line is, then added
a line to explicitly deny the one address I was testing from.
I do have a 4.10 server I will try this on as well. Thanks for the reply.
-Derek
>_______________________________________________
>freebsd-security@freebsd.org mailing list
>http://lists.freebsd.org/mailman/listinfo/freebsd-security
>To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6.0.0.22.2.20040924165856.01f551f0>