Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1369
  • Last Modified:

hosts.deny syntax

I am trying to deny access to ssh\sshd for a number of IP's from Asia that are constantly trying to hack my box.

I have edited my hosts.allow to the following::
#
# hosts.allow      This file describes the names of the hosts which are
#            allowed to use the local INET services, as decided
#            by the '/usr/sbin/tcpd' server.
#
sshd : 211.117.191. : deny
ssh  : 211.117.191. : deny
sshd : 193.145.87.  : deny
ssh  : 193.145.87.  : deny
sshd : 210.205.6.   : deny
ssh  : 210.205.6.   : deny
sshd : 211.104.106. : deny
ssh  : 211.104.106. : deny

then I restarted the xinetd.

My Question:: IS THIS CORRECT?
I still have these little ba$tard$ in my logfiles.

How can I deny their subnet from being able to even TRY to login to my server?

thanks.
0
DBA_Frog
Asked:
DBA_Frog
1 Solution
 
jlevieCommented:
I'd do this by setting up an IPtables firewall that only allows ssh from safe hosts and other serverices that you might be running. If you use a default DENY stance for the INPUT chain you can explictly permit only those services needed and limit ssh to "safe hosts".
0
 
robot3367Commented:
On my Debian box, sshd appears to be started from /etc/rc2.d not  via the inetd mechanism.

Are you sure you have ssh configured correctly. Only users that have sent you their public keys should be able to get in through that route if configrued to require this.

Maybe you have other ports open? Comment out all services from inetd.conf that you are (sure) you are not using.

You should be able to configure any cheapish hardware firewall to just accept ssh inwards connections - then tie down ssh with max security options.
0
 
jlevieCommented:
> sshd appears to be started from /etc/rc2.d not  via the inetd

Which is normal for sshd and brings up the point that unless your copy of sshd was built with libwrap support you can't use hosts.allow/hosts.deny for access control. You can check for that by 'ldd /path-to/sshd'.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
marko020397Commented:
Write them down into hosts.deny instead of hosts.allow. The syntax is the same as for hosts.allow. I would deny the numbers you wrote like this in hosts.deny.

sshd: 211.117.191., 193.145.87., 210.205.6., 211.104.106.
ssh: 211.117.191., 193.145.87., 210.205.6., 211.104.106.

This should do. I agree with jlevie that you should set up iptables as the first line of defense. The second line of defense is hosts.allow and hosts.deny.

The solution above for hosts.deny is not optimal. You should put "ALL:ALL" (everything except IPs from hosts.allow is denied) in hosts.deny and put only allowed IPs to hosts.allow.
0
 
hazmatt81Commented:
Try using iptables instead of hosts.deny it will be much safer.

iptables -A INPUT -p tcp -s x.x.x.x -d 0/0 --destination-port 22 --syn -j DROP


Ultimately you may want to setup iptables to block ssh to anyone but select ip addresses where you will come from.

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -F INPUT
iptables -F FORWARD
iptables -F OUTPUT
iptables -F -t nat
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 20 --syn -j ACCEPT
# Add one of the above lines changing the destination-port for every service ANYONE should access such as web and smtp
iptables -A INPUT -p tcp -s x.x.x.x/24 -d 0/0 --destination-port 3306 --syn -j ACCEPT
# add one of the above lines changing the -s (source) ip and destination-ports for all services only YOU or SELECT individuals should be accessing.  You can use an IP as in x.x.x.x or subnet as in x.x.x.x/24

Put this in a script somewhere (ie a bash file) and run it on system startup.
0
 
marko020397Commented:
You can use iptables AND hosts.deny and hosts.allow files.
0
 
paullamhkgCommented:
jlevie and hazmatt81 gave you very good hints on using a firewall to handling the sshd, but if you really need to use the hosts.allow or hosts.deny you can try put the trusted host into your hosts.allow and put ALL:ALL in the hosts.deny

eg. in the hosts.deny

ALL:ALL

in the hosts.allow

sshd:10.0.0. (the hole subnet of 10.0.0 can access this linux box by ssh) or 10.0.0.1 (only this ip can access)

if it have mulitple ip 10.0.0.1,10.0.0.3 (only ip 10.0.0.1 and 10.0.0.3 can use the ssh to access this linux box)

so every other servies you also need to put into hosts.allow like pop3, imap etc... the system will read the hosts.deny to deny all service and allow following the hosts.allow.

But I totally agree with jlevie to use the iptable firewall which is much more safe and secure.

you can use the hosts.allow and host.deny at the begining if you are not familar with iptable or other type of fire wall, once you got know to the firewall stuff use the firewall instead

0

Featured Post

Ask an Anonymous Question!

Don't feel intimidated by what you don't know. Ask your question anonymously. It's easy! Learn more and upgrade.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now