Re: ssh security

From: Derek Ragona (
Date: 09/25/04

  • Next message: Derek Ragona: "Re: ssh security"
    Date: Fri, 24 Sep 2004 17:02:27 -0500
    To: Terry <>,

    At 03:50 PM 9/24/2004, Terry wrote:
    >Derek Ragona wrote:
    >>>I tried to implement a similar scheme in my hosts.allow on a FreeBSD
    >>>5.2.1 server. But when I try to test it from an IP outside my LAN, it
    >>>still allows ssh logins. I even put in a line in hosts.allow to
    >>>explicitly deny the IP I was ssh'ing from, but it still let me in.
    >>>The behavior gives the appearance that TCP wrappers are not enabled,
    >>>and thus the /etc/hosts.allow file is ignored.
    >>>Is there something I need to do to enable the wrappers in sshd? I saw
    >>>that there is a compile option for the portable source from,
    >>>so I wonder if there is some compile option that needs to be enabled in
    >>>I have gone through the documentation for sshd_config, sshd, make.conf,
    >>>etc. but am not finding anything to change.
    >>> -Derek
    >>>At 07:37 AM 9/19/2004, Terry wrote:
    >>>>>I had the same problem so i setup up hosts.allow to only allow access
    >>>>>from certain ips i require
    >>>>>This has the affect of killing the connection from any other ip befor
    >>>>>gettign to any login prompt
    >>>>>example below
    >>>>>sshd : localhost : allow
    >>>>>sshd : 192.168.2. : allow
    >>>>>sshd : :allow
    >>>>>sshd : : allow <-- public ip i wish to allow of
    >>>>>course i have changed it
    >>>>>sshd : all : deny
    >>>>>This then shows in log instead of failed login attempts
    >>>>> refused connections:
    >>>>>Sep 17 22:11:55 dlt sshd[35669]: refused connect from
    >>>>> (
    >>>>>Regards Terry
    >I read some where the order is important have you tried exactly as i
    >posted only changed ip's to fit your setup ?
    >My freebsd version is 4.10 and i made no other changes i think tcp
    >wrappers are default


    I cut and pasted the lines as you had them, and just changed the IP's. I
    had one less line originally where your public address line is, then added
    a line to explicitly deny the one address I was testing from.

    I do have a 4.10 server I will try this on as well. Thanks for the reply.


    > mailing list
    >To unsubscribe, send any mail to ""
    _______________________________________________ mailing list
    To unsubscribe, send any mail to ""

  • Next message: Derek Ragona: "Re: ssh security"

    Relevant Pages

    • Re: DNS Error 6702
      ... Terry, respsonses are in-line... ... > Hi Ace, ... I managed to get to see the server this week and was ... > amazed that the network worked at all. ...
    • Re: Mail Pending Submission Queue Stalling
      ... "Terry M" wrote in message ... > Misery loves company Bill. ... > as IIS and Exchange reinstalls go with it. ... >> Only a server reboot seems to get the email flowing again. ...
    • Re: ...OS is Win 2003 Std...
      ... > Hi Terry, ... > But if the last message is that DHCP entered the running state, ... > Tab DNS should have nothing checked. ... > Server Options should be empty. ...
    • Re: Changing My Documents back to Default deletes Share on Server
      ... "Terry R." ... on the server is now deleted. ... The owner of the folder is an Administrator account and not the actual user ... Is this a feature of Folder Redirection if it's setup manually? ...
    • Re: Slow XP Logon
      ... I'm not a techie (hence using SBS). ... "Terry" wrote: ... > DNS server ... >> that the laptop doesn't have a floppy drive. ...