> > On 8/24/05, STYMA, ROBERT E (ROBERT) <stymar@xxxxxxxxxx> wrote: > > I just retested on FC3. The ssh that comes > > with the standard repos does honor the > > /etc/hosts.allow and /etc/hosts.deny files. > > I am not real familiar with the HOSTDENY program, > > but if it updates /etc/hosts.deny, ssh will > > honor it. The tcpwrappers program also checks > > /etc/hosts.deny and /etc/hosts.allow. > > > > You can easily test this by hand. > > What I did was the following: > > (I am logged in via ssh on a remote host.) > > 1. Open /etc/hosts.deny > 2. Add a line that reads "sshd: 127.0.0.1" > 3. Save and exit > 4. 'service sshd restart' > 5. 'ssh localhost' > > The document I linked to earlier says I should get the following > message "ssh_exchange_identification: Connection closed by remote > host". Instead I just get a new RSA key fingerprint message. > > Am I doing something wrong or is there another way to test it? > > 1. As an aside, you do not have to restart sshd when you update /etc/hosts.deny and /etc/hosts.allow. 2. /etc/hosts.allow is looked at first. Make sure it does not have something in it to allow 127.0.0.1 3. Check the /var/log/messages and /var/log/secure to see what IP the system thought was connecting. 4. Try this. Note that changing /etc/hosts.allow and /etc/hosts.deny does not affect ssh connections which are already established. a. Put the IP address of the machine you are ssh'ing in from originally in the /etc/hosts.deny file and save. b. Try to ssh in from from another window. It should be deny'ed. c. Take the IP out before you log off of the first session.