Results 1 to 10 of 10
  1. #1
    Join Date
    Oct 2007
    Posts
    62

    sshd deny on /etc/hosts.deny

    I have a new server setup that doesn't work with /etc/hosts.deny

    [email protected] [~]# cat /etc/hosts.deny
    #
    # hosts.deny This file describes the names of the hosts which are
    # *not* allowed to use the local INET services, as decided
    # by the '/usr/sbin/tcpd' server.
    #
    # The portmap line is redundant, but it is left to remind you that
    # the new secure portmap uses hosts.deny and hosts.allow. In particular
    # you should know that NFS uses portmap!

    sshd : ALL
    i'm trying to deny sshd on this server so that i can only allow specific ip to login via setting on /etc/hosts.allow

    what should I do to troubleshoot this issue?

  2. #2
    Join Date
    May 2009
    Location
    On a Speck!!!!!
    Posts
    216
    Add the IP to be given ssh access in etc/hosts.allow as given below

    sshd: <IP>

    To deny any other ssh access except from the ones listed from /etc/hosts.allow, backup and modify /etc/hosts.deny file

    ALL: sshd

    Save and exit.

  3. #3
    Join Date
    Oct 2007
    Posts
    62
    Quote Originally Posted by Thomas Manning View Post
    Add the IP to be given ssh access in etc/hosts.allow as given below

    sshd: <IP>

    To deny any other ssh access except from the ones listed from /etc/hosts.allow, backup and modify /etc/hosts.deny file

    ALL: sshd

    Save and exit.
    yes, that's what i did, and it didn't work.. the server does not deny all ssh request. I can still open ssh from anywhere. How do i solve this problem?

  4. #4
    Join Date
    Apr 2002
    Location
    Auckland - New Zealand
    Posts
    1,572
    Not sure if the space would cause any issues, as you posted

    sshd : ALL
    Make sure its just

    sshd: ALL
    Other than that, make sure sshd is compiled with libwrap support

    # ldd /usr/sbin/sshd

    You should see in the output

    libwrap.so.0 => /lib/libwrap.so.0

    Was ssh compiled on your box? Make sure that /lib/libwrap.so.0 exists.

  5. #5
    Join Date
    Oct 2007
    Posts
    62
    oh no, i didn't see it

    [email protected] [~]# ldd /usr/sbin/sshd
    linux-gate.so.1 => (0x001ef000)
    libpam.so.0 => /lib/libpam.so.0 (0x00317000)
    libdl.so.2 => /lib/libdl.so.2 (0x00a73000)
    libresolv.so.2 => /lib/libresolv.so.2 (0x00c2a000)
    libcrypto.so.6 => /lib/libcrypto.so.6 (0x00c85000)
    libutil.so.1 => /lib/libutil.so.1 (0x00880000)
    libz.so.1 => /usr/lib/libz.so.1 (0x00abb000)
    libnsl.so.1 => /lib/libnsl.so.1 (0x00b3d000)
    libcrypt.so.1 => /lib/libcrypt.so.1 (0x00b56000)
    libc.so.6 => /lib/libc.so.6 (0x0092d000)
    libaudit.so.0 => /lib/libaudit.so.0 (0x002f6000)
    /lib/ld-linux.so.2 (0x0090f000)

    how do i compile them with libwrap?

  6. #6
    Join Date
    Apr 2002
    Location
    Auckland - New Zealand
    Posts
    1,572
    You would need to install the libwrap headers etc first, probably libwrap-devel on centos, (its libwrap0-dev on debian/ubuntu) then recompile ssh again with the ./configure option included

    --with-tcp-wrappers

    ./configure --help for a full list.

  7. #7
    Join Date
    Oct 2007
    Posts
    62
    i am using CentOs 5, how do i recompile ssh with libwrap ?

  8. #8
    I would suggest you to restart the network and sshd services once and then test.

    /etc/init.d/network restart
    /etc/init.d/sshd restart

  9. #9
    Join Date
    Mar 2009
    Location
    Israel
    Posts
    1,204
    usualy tcpwrappers is not the way to go for what you are trying to do.

    anyhow, you dont need to use both hosts.allow & hosts.deny.
    tcpwrappers allows nesting of rules,
    you can put inside your hosts.deny a line that will look like this

    sshd: ALL EXCEPT 192.168.0.1
    for example ^

    iptables is the proper way to go.
    beast5.com - Managed Hosting Solutions 2004 - 2016

  10. #10
    Join Date
    Oct 2007
    Posts
    62
    the problem now is i can't get hosts.deny / hosts.allow to work

    i need some guide how can i recompile ssh with libwrap using centOs5

Similar Threads

  1. hosts.deny
    By fkranjce in forum Hosting Security and Technology
    Replies: 8
    Last Post: 07-17-2009, 07:14 AM
  2. hosts.deny Maximum?
    By SI-Chris in forum Hosting Security and Technology
    Replies: 2
    Last Post: 08-04-2007, 06:04 PM
  3. APF deny rules still there even if the deny.hosts_rules file is empty!
    By sh4ka in forum Hosting Security and Technology
    Replies: 6
    Last Post: 02-09-2007, 06:17 PM
  4. hosts.deny
    By infernus in forum Dedicated Server
    Replies: 1
    Last Post: 12-29-2004, 04:22 PM
  5. hosts.deny file, need help
    By Andrew Pakula in forum Web Hosting
    Replies: 4
    Last Post: 08-19-2001, 05:06 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •