Re: ssh security
From: Terry (terry_at_mrtux.co.uk)
Date: Fri, 24 Sep 2004 21:50:51 +0100 To: firstname.lastname@example.org
Derek Ragona wrote:
>> I tried to implement a similar scheme in my hosts.allow on a FreeBSD
>> 5.2.1 server. But when I try to test it from an IP outside my LAN, it
>> still allows ssh logins. I even put in a line in hosts.allow to
>> explicitly deny the IP I was ssh'ing from, but it still let me in.
>> The behavior gives the appearance that TCP wrappers are not enabled,
>> and thus the /etc/hosts.allow file is ignored.
>> Is there something I need to do to enable the wrappers in sshd? I saw
>> that there is a compile option for the portable source from
>> openssh.org, so I wonder if there is some compile option that needs to
>> be enabled in make.conf?
>> I have gone through the documentation for sshd_config, sshd,
>> make.conf, etc. but am not finding anything to change.
>> At 07:37 AM 9/19/2004, Terry wrote:
>>>> I had the same problem so i setup up hosts.allow to only allow access
>>>> from certain ips i require
>>>> This has the affect of killing the connection from any other ip befor
>>>> gettign to any login prompt
>>>> example below
>>>> sshd : localhost : allow
>>>> sshd : 192.168.2. : allow
>>>> sshd : 188.8.131.52 :allow
>>>> sshd : 184.108.40.206 : allow <-- public ip i wish to allow of
>>>> course i have changed it
>>>> sshd : all : deny
>>>> This then shows in log instead of failed login attempts
>>>> dot.blah.co.uk refused connections:
>>>> Sep 17 22:11:55 dlt sshd: refused connect from
>>>> usen-219x113x213x21.ap-US.usen.ad.jp (220.127.116.11)
>>>> Regards Terry
I read some where the order is important have you tried exactly as i
posted only changed ip's to fit your setup ?
My freebsd version is 4.10 and i made no other changes i think tcp
wrappers are default
email@example.com mailing list
To unsubscribe, send any mail to "firstname.lastname@example.org"