ssh security

Derek Ragona derek at computinginnovations.com
Fri Sep 24 15:02:40 PDT 2004 

At 03:50 PM 9/24/2004, Terry wrote:
>Derek Ragona wrote:
>
>
>>>I tried to implement a similar scheme in my hosts.allow on a FreeBSD 
>>>5.2.1 server.  But when I try to test it from an IP outside my LAN, it 
>>>still allows ssh logins.  I even put in a line in hosts.allow to 
>>>explicitly deny the IP I was ssh'ing from, but it still let me in.
>>>The behavior  gives the appearance that TCP wrappers are not enabled, 
>>>and thus the /etc/hosts.allow file is ignored.
>>>
>>>Is there something I need to do to enable the wrappers in sshd?  I saw 
>>>that there is a compile option for the portable source from openssh.org, 
>>>so I wonder if there is some compile option that needs to be enabled in 
>>>make.conf?
>>>I have gone through the documentation for sshd_config, sshd, make.conf, 
>>>etc. but am not finding anything to change.
>>>
>>>         -Derek
>>>
>>>
>>>
>>>At 07:37 AM 9/19/2004, Terry wrote:
>>
>>
>>>>>I had the same problem so i setup up hosts.allow to only allow access 
>>>>>from certain ips i require
>>>>>This has the affect of killing the connection from any other ip befor 
>>>>>gettign to any login prompt
>>>>>example below
>>>>>sshd : localhost : allow
>>>>>sshd : 192.168.2. : allow
>>>>>sshd : 82.41.115.213 :allow
>>>>>sshd : 216.123.248.219 : allow  <-- public ip i wish to allow of 
>>>>>course i have changed it
>>>>>sshd : all : deny
>>>>>
>>>>>This then shows in log instead of failed login attempts
>>>>>
>>>>>dot.blah.co.uk refused connections:
>>>>>Sep 17 22:11:55 dlt sshd[35669]: refused connect from 
>>>>>usen-219x113x213x21.ap-US.usen.ad.jp (219.113.213.21)
>>>>>
>>>>>Regards Terry
>>>>>
>>>
>I read some where the order is important have you tried exactly as i 
>posted only changed ip's to fit your setup ?
>My freebsd version is 4.10 and i made no other changes i think tcp 
>wrappers are default
>Terry

Terry,

I cut and pasted the lines as you had them, and just changed the IP's.  I 
had one less line originally where your public address line is, then added 
a line to explicitly deny the one address I was testing from.

I do have a 4.10 server I will try this on as well.  Thanks for the reply.

         -Derek





>_______________________________________________
>freebsd-security at freebsd.org mailing list
>http://lists.freebsd.org/mailman/listinfo/freebsd-security
>To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"

More information about the freebsd-security mailing list