Solved

hosts.deny syntax

Posted on 2004-08-09
7
1,358 Views
Last Modified: 2013-12-15
I am trying to deny access to ssh\sshd for a number of IP's from Asia that are constantly trying to hack my box.

I have edited my hosts.allow to the following::
#
# hosts.allow      This file describes the names of the hosts which are
#            allowed to use the local INET services, as decided
#            by the '/usr/sbin/tcpd' server.
#
sshd : 211.117.191. : deny
ssh  : 211.117.191. : deny
sshd : 193.145.87.  : deny
ssh  : 193.145.87.  : deny
sshd : 210.205.6.   : deny
ssh  : 210.205.6.   : deny
sshd : 211.104.106. : deny
ssh  : 211.104.106. : deny

then I restarted the xinetd.

My Question:: IS THIS CORRECT?
I still have these little ba$tard$ in my logfiles.

How can I deny their subnet from being able to even TRY to login to my server?

thanks.
0
Comment
Question by:DBA_Frog
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 40

Expert Comment

by:jlevie
ID: 11753408
I'd do this by setting up an IPtables firewall that only allows ssh from safe hosts and other serverices that you might be running. If you use a default DENY stance for the INPUT chain you can explictly permit only those services needed and limit ssh to "safe hosts".
0
 
LVL 1

Expert Comment

by:robot3367
ID: 11768556
On my Debian box, sshd appears to be started from /etc/rc2.d not  via the inetd mechanism.

Are you sure you have ssh configured correctly. Only users that have sent you their public keys should be able to get in through that route if configrued to require this.

Maybe you have other ports open? Comment out all services from inetd.conf that you are (sure) you are not using.

You should be able to configure any cheapish hardware firewall to just accept ssh inwards connections - then tie down ssh with max security options.
0
 
LVL 40

Expert Comment

by:jlevie
ID: 11768888
> sshd appears to be started from /etc/rc2.d not  via the inetd

Which is normal for sshd and brings up the point that unless your copy of sshd was built with libwrap support you can't use hosts.allow/hosts.deny for access control. You can check for that by 'ldd /path-to/sshd'.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 4

Accepted Solution

by:
marko020397 earned 250 total points
ID: 11772141
Write them down into hosts.deny instead of hosts.allow. The syntax is the same as for hosts.allow. I would deny the numbers you wrote like this in hosts.deny.

sshd: 211.117.191., 193.145.87., 210.205.6., 211.104.106.
ssh: 211.117.191., 193.145.87., 210.205.6., 211.104.106.

This should do. I agree with jlevie that you should set up iptables as the first line of defense. The second line of defense is hosts.allow and hosts.deny.

The solution above for hosts.deny is not optimal. You should put "ALL:ALL" (everything except IPs from hosts.allow is denied) in hosts.deny and put only allowed IPs to hosts.allow.
0
 
LVL 1

Expert Comment

by:hazmatt81
ID: 11843184
Try using iptables instead of hosts.deny it will be much safer.

iptables -A INPUT -p tcp -s x.x.x.x -d 0/0 --destination-port 22 --syn -j DROP


Ultimately you may want to setup iptables to block ssh to anyone but select ip addresses where you will come from.

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -F INPUT
iptables -F FORWARD
iptables -F OUTPUT
iptables -F -t nat
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 20 --syn -j ACCEPT
# Add one of the above lines changing the destination-port for every service ANYONE should access such as web and smtp
iptables -A INPUT -p tcp -s x.x.x.x/24 -d 0/0 --destination-port 3306 --syn -j ACCEPT
# add one of the above lines changing the -s (source) ip and destination-ports for all services only YOU or SELECT individuals should be accessing.  You can use an IP as in x.x.x.x or subnet as in x.x.x.x/24

Put this in a script somewhere (ie a bash file) and run it on system startup.
0
 
LVL 4

Expert Comment

by:marko020397
ID: 11869501
You can use iptables AND hosts.deny and hosts.allow files.
0
 
LVL 12

Expert Comment

by:paullamhkg
ID: 11971051
jlevie and hazmatt81 gave you very good hints on using a firewall to handling the sshd, but if you really need to use the hosts.allow or hosts.deny you can try put the trusted host into your hosts.allow and put ALL:ALL in the hosts.deny

eg. in the hosts.deny

ALL:ALL

in the hosts.allow

sshd:10.0.0. (the hole subnet of 10.0.0 can access this linux box by ssh) or 10.0.0.1 (only this ip can access)

if it have mulitple ip 10.0.0.1,10.0.0.3 (only ip 10.0.0.1 and 10.0.0.3 can use the ssh to access this linux box)

so every other servies you also need to put into hosts.allow like pop3, imap etc... the system will read the hosts.deny to deny all service and allow following the hosts.allow.

But I totally agree with jlevie to use the iptable firewall which is much more safe and secure.

you can use the hosts.allow and host.deny at the begining if you are not familar with iptable or other type of fire wall, once you got know to the firewall stuff use the firewall instead

0

Featured Post

Get proactive database performance tuning online

At Percona’s web store you can order full Percona Database Performance Audit in minutes. Find out the health of your database, and how to improve it. Pay online with a credit card. Improve your database performance now!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Setting up Secure Ubuntu server on VMware 1.      Insert the Ubuntu Server distribution CD or attach the ISO of the CD which is in the “Datastore”. Note that it is important to install the x64 edition on servers, not the X86 editions. 2.      Power on th…
I. Introduction There's an interesting discussion going on now in an Experts Exchange Group — Attachments with no extension (http://www.experts-exchange.com/discussions/210281/Attachments-with-no-extension.html). This reminded me of questions tha…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial
Suggested Courses

631 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question