can't restrict sshd access through hosts.allow and hosts.deny but was working earlier
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
can't restrict sshd access through hosts.allow and hosts.deny but was working earlier
Running ver 8.0.0 (åtta) Slackware 2.4.29
Problem is that I can’t restrict an ip address in hosts.allow and hosts.deny
I typed the following on shell to avoid any illegal characters (which happened couple of time by copying from Windows notepad/Wordpad )
cat /etc/hosts.allow
sshd : a.a.a.a
cat /etc/hosts.deny
sshd : ALL
Sshd is running from
/etc/rc.d/rc.inet2:if [ -x /usr/local/sbin/sshd ]; then
/etc/rc.d/rc.inet2: echo -n " sshd"
/etc/rc.d/rc.inet2: /usr/local/sbin/sshd
/etc/rc.d/rc.inet2:elif [ -x /usr/sbin/sshd ]; then
/etc/rc.d/rc.inet2: echo -n " sshd"
/etc/rc.d/rc.inet2: /usr/sbin/sshd
I rebooted the server(which wasn’t required, restarting the service was enough)
But I can still login to the test server from anywhere.
Earlier server was locked down to few ip addresses on our network, which I changed to sshd : ALL : ALLOW
Then server started to receive so many ssh login attempts in /var/log/messages from various ip addresses
and now I wanted to lock it down again and it is not
Unfortunately I don’t want to use iptables/ipchains
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin
# This is the sshd server system-wide configuration file. See sshd(8)
# for more information.
Port 22
#Protocol 2,1
#ListenAddress 0.0.0.0
#ListenAddress ::
HostKey /usr/local/etc/ssh_host_key
HostKey /usr/local/etc/ssh_host_rsa_key
HostKey /usr/local/etc/ssh_host_dsa_key
ServerKeyBits 768
LoginGraceTime 9
KeyRegenerationInterval 3600
PermitRootLogin no
#
# Don't read ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
StrictModes yes
X11Forwarding no
X11DisplayOffset 10
PrintMotd yes
#PrintLastLog no
KeepAlive yes
# Logging
SyslogFacility AUTH
LogLevel INFO
#obsoletes QuietMode and FascistLogging
RhostsAuthentication no
#
# For this to work you will also need host keys in /usr/local/etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Logging
SyslogFacility AUTH
LogLevel INFO
#obsoletes QuietMode and FascistLogging
RhostsAuthentication no
#
# For this to work you will also need host keys in /usr/local/etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
#
RSAAuthentication yes
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes
PermitEmptyPasswords no
# Uncomment to disable s/key passwords
#ChallengeResponseAuthentication no
# Uncomment to enable PAM keyboard-interactive authentication
# Warning: enabling this may bypass the setting of 'PasswordAuthentication'
#PAMAuthenticationViaKbdInt yes
# To change Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#AFSTokenPassing no
#KerberosTicketCleanup no
# Kerberos TGT Passing does only work with the AFS kaserver
#KerberosTgtPassing yes
If the hosts.allow and .deny files are set up correctly, afaik it should block access. Can you post the actual complete files? I'm assuming when you write a.a.a.a that is just a replacement here for the actual IP you have in the file?
Btw, unless you specifically have clients that can only use protocol 1 (which these days is probably unlikely) you should uncomment the "Protocol" line (or make new one) and change it to allow only protocol 2. Protocol 1 is insecure. That might even be the problem, I'm not sure if the authentication for protocol 1 bypasses the hosts files. It doesn't seem like it would be able to, but who knows.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.