Solved

hosts.deny syntax

Posted on 2004-08-09
7
1,329 Views
Last Modified: 2013-12-15
I am trying to deny access to ssh\sshd for a number of IP's from Asia that are constantly trying to hack my box.

I have edited my hosts.allow to the following::
#
# hosts.allow      This file describes the names of the hosts which are
#            allowed to use the local INET services, as decided
#            by the '/usr/sbin/tcpd' server.
#
sshd : 211.117.191. : deny
ssh  : 211.117.191. : deny
sshd : 193.145.87.  : deny
ssh  : 193.145.87.  : deny
sshd : 210.205.6.   : deny
ssh  : 210.205.6.   : deny
sshd : 211.104.106. : deny
ssh  : 211.104.106. : deny

then I restarted the xinetd.

My Question:: IS THIS CORRECT?
I still have these little ba$tard$ in my logfiles.

How can I deny their subnet from being able to even TRY to login to my server?

thanks.
0
Comment
Question by:DBA_Frog
7 Comments
 
LVL 40

Expert Comment

by:jlevie
ID: 11753408
I'd do this by setting up an IPtables firewall that only allows ssh from safe hosts and other serverices that you might be running. If you use a default DENY stance for the INPUT chain you can explictly permit only those services needed and limit ssh to "safe hosts".
0
 
LVL 1

Expert Comment

by:robot3367
ID: 11768556
On my Debian box, sshd appears to be started from /etc/rc2.d not  via the inetd mechanism.

Are you sure you have ssh configured correctly. Only users that have sent you their public keys should be able to get in through that route if configrued to require this.

Maybe you have other ports open? Comment out all services from inetd.conf that you are (sure) you are not using.

You should be able to configure any cheapish hardware firewall to just accept ssh inwards connections - then tie down ssh with max security options.
0
 
LVL 40

Expert Comment

by:jlevie
ID: 11768888
> sshd appears to be started from /etc/rc2.d not  via the inetd

Which is normal for sshd and brings up the point that unless your copy of sshd was built with libwrap support you can't use hosts.allow/hosts.deny for access control. You can check for that by 'ldd /path-to/sshd'.
0
Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

 
LVL 4

Accepted Solution

by:
marko020397 earned 250 total points
ID: 11772141
Write them down into hosts.deny instead of hosts.allow. The syntax is the same as for hosts.allow. I would deny the numbers you wrote like this in hosts.deny.

sshd: 211.117.191., 193.145.87., 210.205.6., 211.104.106.
ssh: 211.117.191., 193.145.87., 210.205.6., 211.104.106.

This should do. I agree with jlevie that you should set up iptables as the first line of defense. The second line of defense is hosts.allow and hosts.deny.

The solution above for hosts.deny is not optimal. You should put "ALL:ALL" (everything except IPs from hosts.allow is denied) in hosts.deny and put only allowed IPs to hosts.allow.
0
 
LVL 1

Expert Comment

by:hazmatt81
ID: 11843184
Try using iptables instead of hosts.deny it will be much safer.

iptables -A INPUT -p tcp -s x.x.x.x -d 0/0 --destination-port 22 --syn -j DROP


Ultimately you may want to setup iptables to block ssh to anyone but select ip addresses where you will come from.

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -F INPUT
iptables -F FORWARD
iptables -F OUTPUT
iptables -F -t nat
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 20 --syn -j ACCEPT
# Add one of the above lines changing the destination-port for every service ANYONE should access such as web and smtp
iptables -A INPUT -p tcp -s x.x.x.x/24 -d 0/0 --destination-port 3306 --syn -j ACCEPT
# add one of the above lines changing the -s (source) ip and destination-ports for all services only YOU or SELECT individuals should be accessing.  You can use an IP as in x.x.x.x or subnet as in x.x.x.x/24

Put this in a script somewhere (ie a bash file) and run it on system startup.
0
 
LVL 4

Expert Comment

by:marko020397
ID: 11869501
You can use iptables AND hosts.deny and hosts.allow files.
0
 
LVL 12

Expert Comment

by:paullamhkg
ID: 11971051
jlevie and hazmatt81 gave you very good hints on using a firewall to handling the sshd, but if you really need to use the hosts.allow or hosts.deny you can try put the trusted host into your hosts.allow and put ALL:ALL in the hosts.deny

eg. in the hosts.deny

ALL:ALL

in the hosts.allow

sshd:10.0.0. (the hole subnet of 10.0.0 can access this linux box by ssh) or 10.0.0.1 (only this ip can access)

if it have mulitple ip 10.0.0.1,10.0.0.3 (only ip 10.0.0.1 and 10.0.0.3 can use the ssh to access this linux box)

so every other servies you also need to put into hosts.allow like pop3, imap etc... the system will read the hosts.deny to deny all service and allow following the hosts.allow.

But I totally agree with jlevie to use the iptable firewall which is much more safe and secure.

you can use the hosts.allow and host.deny at the begining if you are not familar with iptable or other type of fire wall, once you got know to the firewall stuff use the firewall instead

0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Join & Write a Comment

This is the error message I got (CODE) Error caused by incompatible libmp3lame 3.98-2 with ffmpeg I've googled this error message and found out sometimes it attaches this note "can be treated with downgrade libmp3lame to version 3.97 or 3.98" …
Little introduction about CP: CP is a command on linux that use to copy files and folder from one location to another location. Example usage of CP as follow: cp /myfoder /pathto/destination/folder/ cp abc.tar.gz /pathto/destination/folder/ab…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now