Solved

hosts.deny syntax

Posted on 2004-08-09
7
1,345 Views
Last Modified: 2013-12-15
I am trying to deny access to ssh\sshd for a number of IP's from Asia that are constantly trying to hack my box.

I have edited my hosts.allow to the following::
#
# hosts.allow      This file describes the names of the hosts which are
#            allowed to use the local INET services, as decided
#            by the '/usr/sbin/tcpd' server.
#
sshd : 211.117.191. : deny
ssh  : 211.117.191. : deny
sshd : 193.145.87.  : deny
ssh  : 193.145.87.  : deny
sshd : 210.205.6.   : deny
ssh  : 210.205.6.   : deny
sshd : 211.104.106. : deny
ssh  : 211.104.106. : deny

then I restarted the xinetd.

My Question:: IS THIS CORRECT?
I still have these little ba$tard$ in my logfiles.

How can I deny their subnet from being able to even TRY to login to my server?

thanks.
0
Comment
Question by:DBA_Frog
7 Comments
 
LVL 40

Expert Comment

by:jlevie
ID: 11753408
I'd do this by setting up an IPtables firewall that only allows ssh from safe hosts and other serverices that you might be running. If you use a default DENY stance for the INPUT chain you can explictly permit only those services needed and limit ssh to "safe hosts".
0
 
LVL 1

Expert Comment

by:robot3367
ID: 11768556
On my Debian box, sshd appears to be started from /etc/rc2.d not  via the inetd mechanism.

Are you sure you have ssh configured correctly. Only users that have sent you their public keys should be able to get in through that route if configrued to require this.

Maybe you have other ports open? Comment out all services from inetd.conf that you are (sure) you are not using.

You should be able to configure any cheapish hardware firewall to just accept ssh inwards connections - then tie down ssh with max security options.
0
 
LVL 40

Expert Comment

by:jlevie
ID: 11768888
> sshd appears to be started from /etc/rc2.d not  via the inetd

Which is normal for sshd and brings up the point that unless your copy of sshd was built with libwrap support you can't use hosts.allow/hosts.deny for access control. You can check for that by 'ldd /path-to/sshd'.
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 4

Accepted Solution

by:
marko020397 earned 250 total points
ID: 11772141
Write them down into hosts.deny instead of hosts.allow. The syntax is the same as for hosts.allow. I would deny the numbers you wrote like this in hosts.deny.

sshd: 211.117.191., 193.145.87., 210.205.6., 211.104.106.
ssh: 211.117.191., 193.145.87., 210.205.6., 211.104.106.

This should do. I agree with jlevie that you should set up iptables as the first line of defense. The second line of defense is hosts.allow and hosts.deny.

The solution above for hosts.deny is not optimal. You should put "ALL:ALL" (everything except IPs from hosts.allow is denied) in hosts.deny and put only allowed IPs to hosts.allow.
0
 
LVL 1

Expert Comment

by:hazmatt81
ID: 11843184
Try using iptables instead of hosts.deny it will be much safer.

iptables -A INPUT -p tcp -s x.x.x.x -d 0/0 --destination-port 22 --syn -j DROP


Ultimately you may want to setup iptables to block ssh to anyone but select ip addresses where you will come from.

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -F INPUT
iptables -F FORWARD
iptables -F OUTPUT
iptables -F -t nat
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 20 --syn -j ACCEPT
# Add one of the above lines changing the destination-port for every service ANYONE should access such as web and smtp
iptables -A INPUT -p tcp -s x.x.x.x/24 -d 0/0 --destination-port 3306 --syn -j ACCEPT
# add one of the above lines changing the -s (source) ip and destination-ports for all services only YOU or SELECT individuals should be accessing.  You can use an IP as in x.x.x.x or subnet as in x.x.x.x/24

Put this in a script somewhere (ie a bash file) and run it on system startup.
0
 
LVL 4

Expert Comment

by:marko020397
ID: 11869501
You can use iptables AND hosts.deny and hosts.allow files.
0
 
LVL 12

Expert Comment

by:paullamhkg
ID: 11971051
jlevie and hazmatt81 gave you very good hints on using a firewall to handling the sshd, but if you really need to use the hosts.allow or hosts.deny you can try put the trusted host into your hosts.allow and put ALL:ALL in the hosts.deny

eg. in the hosts.deny

ALL:ALL

in the hosts.allow

sshd:10.0.0. (the hole subnet of 10.0.0 can access this linux box by ssh) or 10.0.0.1 (only this ip can access)

if it have mulitple ip 10.0.0.1,10.0.0.3 (only ip 10.0.0.1 and 10.0.0.3 can use the ssh to access this linux box)

so every other servies you also need to put into hosts.allow like pop3, imap etc... the system will read the hosts.deny to deny all service and allow following the hosts.allow.

But I totally agree with jlevie to use the iptable firewall which is much more safe and secure.

you can use the hosts.allow and host.deny at the begining if you are not familar with iptable or other type of fire wall, once you got know to the firewall stuff use the firewall instead

0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Linux haproxy: stop temporary haproxy service 9 47
AWS ELB 5 95
AWS Central Authentication 1 87
LogmeIn using Linux Ubuntu 16.04 6 63
rdate is a Linux command and the network time protocol for immediate date and time setup from another machine. The clocks are synchronized by entering rdate with the -s switch (command without switch just checks the time but does not set anything). …
Setting up Secure Ubuntu server on VMware 1.      Insert the Ubuntu Server distribution CD or attach the ISO of the CD which is in the “Datastore”. Note that it is important to install the x64 edition on servers, not the X86 editions. 2.      Power on th…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question