RE: Confused about tcp_wrappers and sshd

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, 2005-08-24 at 13:40 -0500, STYMA, ROBERT E (ROBERT) wrote:
> > 
> > On 8/24/05, STYMA, ROBERT E (ROBERT) <stymar@xxxxxxxxxx> wrote:
> > > I just retested on FC3.  The ssh that comes
> > > with the standard repos does honor the
> > > /etc/hosts.allow and /etc/hosts.deny files.
> > > I am not real familiar with the HOSTDENY program,
> > > but if it updates /etc/hosts.deny, ssh will
> > > honor it.  The tcpwrappers program also checks
> > > /etc/hosts.deny and /etc/hosts.allow.
> > > 
> > > You can easily test this by hand.
> > 
> > What I did was the following:
> > 
> > (I am logged in via ssh on a remote host.)
> > 
> > 1. Open /etc/hosts.deny
> > 2. Add a line that reads "sshd: 127.0.0.1"
> > 3. Save and exit
> > 4. 'service sshd restart'
> > 5. 'ssh localhost'
> > 
> > The document I linked to earlier says I should get the following
> > message "ssh_exchange_identification: Connection closed by remote
> > host". Instead I just get a new RSA key fingerprint message.
> > 
> > Am I doing something wrong or is there another way to test it?
> > 
> > 
> 1.  As an aside, you do not have to restart sshd when you update
>     /etc/hosts.deny and /etc/hosts.allow.
> 2.  /etc/hosts.allow is looked at first.  Make sure it does not
>     have something in it to allow 127.0.0.1
> 3.  Check the /var/log/messages and /var/log/secure to see what IP
>     the system thought was connecting.
> 4.  Try this.
>      Note that changing /etc/hosts.allow and /etc/hosts.deny does
>      not affect ssh connections which are already established.
>      a. Put the IP address of the machine you are ssh'ing in from
>         originally in the /etc/hosts.deny file and save.
>      b. Try to ssh in from from another window.  It should be
>         deny'ed.
>      c. Take the IP out before you log off of the first session.
> 
And a 5th wildcard, make sure that the name localhost actually refers to
the loopback adapter 127.0.0.1 when you were doing an "ssh localhost".
Personally, you could just try a line that says "sshd: ALL" in
the /etc/hosts.deny file to block everything in case it tries to get
smart and go through your physical interface instead of lo....  And as
recommended make sure there is nothing in /etc/hosts.allow that would
allow this connection....

--Rob


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux