From owner-freebsd-security@FreeBSD.ORG Fri Sep 24 22:02:40 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A335D16A4CE for ; Fri, 24 Sep 2004 22:02:40 +0000 (GMT) Received: from betty.computinginnovations.com (dsl081-142-072.chi1.dsl.speakeasy.net [64.81.142.72]) by mx1.FreeBSD.org (Postfix) with ESMTP id AC4CA43D31 for ; Fri, 24 Sep 2004 22:02:39 +0000 (GMT) (envelope-from derek@computinginnovations.com) Received: from p17.computinginnovations.com (dhcp-10-20-30-100.computinginnovations.com [10.20.30.100]) (authenticated bits=0)i8OM2Xi4094262; Fri, 24 Sep 2004 17:02:34 -0500 (CDT) Message-Id: <6.0.0.22.2.20040924165856.01f551f0@mail.computinginnovations.com> X-Sender: derek@mail.computinginnovations.com X-Mailer: QUALCOMM Windows Eudora Version 6.0.0.22 Date: Fri, 24 Sep 2004 17:02:27 -0500 To: Terry , freebsd-security@freebsd.org From: Derek Ragona In-Reply-To: <415488AB.2060803@mrtux.co.uk> References: <20040923120103.5DD3116A517@hub.freebsd.org> <415488AB.2060803@mrtux.co.uk> Mime-Version: 1.0 X-ComputingInnovations-MailScanner-Information: Please contact the ISP for more information X-ComputingInnovations-MailScanner: Found to be clean Content-Type: text/plain; charset="us-ascii"; format=flowed X-Content-Filtered-By: Mailman/MimeDel 2.1.1 Subject: Re: ssh security X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Sep 2004 22:02:40 -0000 At 03:50 PM 9/24/2004, Terry wrote: >Derek Ragona wrote: > > >>>I tried to implement a similar scheme in my hosts.allow on a FreeBSD >>>5.2.1 server. But when I try to test it from an IP outside my LAN, it >>>still allows ssh logins. I even put in a line in hosts.allow to >>>explicitly deny the IP I was ssh'ing from, but it still let me in. >>>The behavior gives the appearance that TCP wrappers are not enabled, >>>and thus the /etc/hosts.allow file is ignored. >>> >>>Is there something I need to do to enable the wrappers in sshd? I saw >>>that there is a compile option for the portable source from openssh.org, >>>so I wonder if there is some compile option that needs to be enabled in >>>make.conf? >>>I have gone through the documentation for sshd_config, sshd, make.conf, >>>etc. but am not finding anything to change. >>> >>> -Derek >>> >>> >>> >>>At 07:37 AM 9/19/2004, Terry wrote: >> >> >>>>>I had the same problem so i setup up hosts.allow to only allow access >>>>>from certain ips i require >>>>>This has the affect of killing the connection from any other ip befor >>>>>gettign to any login prompt >>>>>example below >>>>>sshd : localhost : allow >>>>>sshd : 192.168.2. : allow >>>>>sshd : 82.41.115.213 :allow >>>>>sshd : 216.123.248.219 : allow <-- public ip i wish to allow of >>>>>course i have changed it >>>>>sshd : all : deny >>>>> >>>>>This then shows in log instead of failed login attempts >>>>> >>>>>dot.blah.co.uk refused connections: >>>>>Sep 17 22:11:55 dlt sshd[35669]: refused connect from >>>>>usen-219x113x213x21.ap-US.usen.ad.jp (219.113.213.21) >>>>> >>>>>Regards Terry >>>>> >>> >I read some where the order is important have you tried exactly as i >posted only changed ip's to fit your setup ? >My freebsd version is 4.10 and i made no other changes i think tcp >wrappers are default >Terry Terry, I cut and pasted the lines as you had them, and just changed the IP's. I had one less line originally where your public address line is, then added a line to explicitly deny the one address I was testing from. I do have a 4.10 server I will try this on as well. Thanks for the reply. -Derek >_______________________________________________ >freebsd-security@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-security >To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"