>
> On 8/24/05, STYMA, ROBERT E (ROBERT) <stymar@xxxxxxxxxx> wrote:
> > I just retested on FC3. The ssh that comes
> > with the standard repos does honor the
> > /etc/hosts.allow and /etc/hosts.deny files.
> > I am not real familiar with the HOSTDENY program,
> > but if it updates /etc/hosts.deny, ssh will
> > honor it. The tcpwrappers program also checks
> > /etc/hosts.deny and /etc/hosts.allow.
> >
> > You can easily test this by hand.
>
> What I did was the following:
>
> (I am logged in via ssh on a remote host.)
>
> 1. Open /etc/hosts.deny
> 2. Add a line that reads "sshd: 127.0.0.1"
> 3. Save and exit
> 4. 'service sshd restart'
> 5. 'ssh localhost'
>
> The document I linked to earlier says I should get the following
> message "ssh_exchange_identification: Connection closed by remote
> host". Instead I just get a new RSA key fingerprint message.
>
> Am I doing something wrong or is there another way to test it?
>
>
1. As an aside, you do not have to restart sshd when you update
/etc/hosts.deny and /etc/hosts.allow.
2. /etc/hosts.allow is looked at first. Make sure it does not
have something in it to allow 127.0.0.1
3. Check the /var/log/messages and /var/log/secure to see what IP
the system thought was connecting.
4. Try this.
Note that changing /etc/hosts.allow and /etc/hosts.deny does
not affect ssh connections which are already established.
a. Put the IP address of the machine you are ssh'ing in from
originally in the /etc/hosts.deny file and save.
b. Try to ssh in from from another window. It should be
deny'ed.
c. Take the IP out before you log off of the first session.
