On Wed, 2005-08-24 at 13:40 -0500, STYMA, ROBERT E (ROBERT) wrote: > > > > On 8/24/05, STYMA, ROBERT E (ROBERT) <stymar@xxxxxxxxxx> wrote: > > > I just retested on FC3. The ssh that comes > > > with the standard repos does honor the > > > /etc/hosts.allow and /etc/hosts.deny files. > > > I am not real familiar with the HOSTDENY program, > > > but if it updates /etc/hosts.deny, ssh will > > > honor it. The tcpwrappers program also checks > > > /etc/hosts.deny and /etc/hosts.allow. > > > > > > You can easily test this by hand. > > > > What I did was the following: > > > > (I am logged in via ssh on a remote host.) > > > > 1. Open /etc/hosts.deny > > 2. Add a line that reads "sshd: 127.0.0.1" > > 3. Save and exit > > 4. 'service sshd restart' > > 5. 'ssh localhost' > > > > The document I linked to earlier says I should get the following > > message "ssh_exchange_identification: Connection closed by remote > > host". Instead I just get a new RSA key fingerprint message. > > > > Am I doing something wrong or is there another way to test it? > > > > > 1. As an aside, you do not have to restart sshd when you update > /etc/hosts.deny and /etc/hosts.allow. > 2. /etc/hosts.allow is looked at first. Make sure it does not > have something in it to allow 127.0.0.1 > 3. Check the /var/log/messages and /var/log/secure to see what IP > the system thought was connecting. > 4. Try this. > Note that changing /etc/hosts.allow and /etc/hosts.deny does > not affect ssh connections which are already established. > a. Put the IP address of the machine you are ssh'ing in from > originally in the /etc/hosts.deny file and save. > b. Try to ssh in from from another window. It should be > deny'ed. > c. Take the IP out before you log off of the first session. > And a 5th wildcard, make sure that the name localhost actually refers to the loopback adapter 127.0.0.1 when you were doing an "ssh localhost". Personally, you could just try a line that says "sshd: ALL" in the /etc/hosts.deny file to block everything in case it tries to get smart and go through your physical interface instead of lo.... And as recommended make sure there is nothing in /etc/hosts.allow that would allow this connection.... --Rob