RE: Confused about tcp_wrappers and sshd

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> 
> On 8/24/05, STYMA, ROBERT E (ROBERT) <stymar@xxxxxxxxxx> wrote:
> > I just retested on FC3.  The ssh that comes
> > with the standard repos does honor the
> > /etc/hosts.allow and /etc/hosts.deny files.
> > I am not real familiar with the HOSTDENY program,
> > but if it updates /etc/hosts.deny, ssh will
> > honor it.  The tcpwrappers program also checks
> > /etc/hosts.deny and /etc/hosts.allow.
> > 
> > You can easily test this by hand.
> 
> What I did was the following:
> 
> (I am logged in via ssh on a remote host.)
> 
> 1. Open /etc/hosts.deny
> 2. Add a line that reads "sshd: 127.0.0.1"
> 3. Save and exit
> 4. 'service sshd restart'
> 5. 'ssh localhost'
> 
> The document I linked to earlier says I should get the following
> message "ssh_exchange_identification: Connection closed by remote
> host". Instead I just get a new RSA key fingerprint message.
> 
> Am I doing something wrong or is there another way to test it?
> 
> 
1.  As an aside, you do not have to restart sshd when you update
    /etc/hosts.deny and /etc/hosts.allow.
2.  /etc/hosts.allow is looked at first.  Make sure it does not
    have something in it to allow 127.0.0.1
3.  Check the /var/log/messages and /var/log/secure to see what IP
    the system thought was connecting.
4.  Try this.
     Note that changing /etc/hosts.allow and /etc/hosts.deny does
     not affect ssh connections which are already established.
     a. Put the IP address of the machine you are ssh'ing in from
        originally in the /etc/hosts.deny file and save.
     b. Try to ssh in from from another window.  It should be
        deny'ed.
     c. Take the IP out before you log off of the first session.


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux