Re: ssh security

From: Terry (terry_at_mrtux.co.uk)
Date: 09/24/04

  • Next message: Chris Orr: "Re: ssh security"
    Date: Fri, 24 Sep 2004 21:50:51 +0100
    To: freebsd-security@freebsd.org
    
    

    Derek Ragona wrote:

    >> I tried to implement a similar scheme in my hosts.allow on a FreeBSD
    >> 5.2.1 server. But when I try to test it from an IP outside my LAN, it
    >> still allows ssh logins. I even put in a line in hosts.allow to
    >> explicitly deny the IP I was ssh'ing from, but it still let me in.
    >> The behavior gives the appearance that TCP wrappers are not enabled,
    >> and thus the /etc/hosts.allow file is ignored.
    >>
    >> Is there something I need to do to enable the wrappers in sshd? I saw
    >> that there is a compile option for the portable source from
    >> openssh.org, so I wonder if there is some compile option that needs to
    >> be enabled in make.conf?
    >>
    >> I have gone through the documentation for sshd_config, sshd,
    >> make.conf, etc. but am not finding anything to change.
    >>
    >> -Derek
    >>
    >>
    >>
    >> At 07:37 AM 9/19/2004, Terry wrote:
    >>
    >
    >
    >>>> I had the same problem so i setup up hosts.allow to only allow access
    >>>> from certain ips i require
    >>>> This has the affect of killing the connection from any other ip befor
    >>>> gettign to any login prompt
    >>>> example below
    >>>> sshd : localhost : allow
    >>>> sshd : 192.168.2. : allow
    >>>> sshd : 82.41.115.213 :allow
    >>>> sshd : 216.123.248.219 : allow <-- public ip i wish to allow of
    >>>> course i have changed it
    >>>> sshd : all : deny
    >>>>
    >>>> This then shows in log instead of failed login attempts
    >>>>
    >>>> dot.blah.co.uk refused connections:
    >>>> Sep 17 22:11:55 dlt sshd[35669]: refused connect from
    >>>> usen-219x113x213x21.ap-US.usen.ad.jp (219.113.213.21)
    >>>>
    >>>> Regards Terry
    >>>>
    >>>>
    >>
    >>
    I read some where the order is important have you tried exactly as i
    posted only changed ip's to fit your setup ?
    My freebsd version is 4.10 and i made no other changes i think tcp
    wrappers are default
    Terry

    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"


  • Next message: Chris Orr: "Re: ssh security"

    Relevant Pages

    • Re: sshd security
      ... >server. ... >allows ssh logins. ... >there is a compile option for the portable source from openssh.org, ... Depending on how TCP wrappers are integrated into SSH, ...
      (FreeBSD-Security)
    • [HPADM] how to set tcp wrappers
      ... /etc/inetd.conf are not wrapped (first one is omni which is ... omnibackup from HP): ... I found 3 tcp wrappers in my system, ...
      (HP-UX-Admin)