Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

hosts.deny syntax

Posted on 2004-08-09
7
Medium Priority
?
1,366 Views
Last Modified: 2013-12-15
I am trying to deny access to ssh\sshd for a number of IP's from Asia that are constantly trying to hack my box.

I have edited my hosts.allow to the following::
#
# hosts.allow      This file describes the names of the hosts which are
#            allowed to use the local INET services, as decided
#            by the '/usr/sbin/tcpd' server.
#
sshd : 211.117.191. : deny
ssh  : 211.117.191. : deny
sshd : 193.145.87.  : deny
ssh  : 193.145.87.  : deny
sshd : 210.205.6.   : deny
ssh  : 210.205.6.   : deny
sshd : 211.104.106. : deny
ssh  : 211.104.106. : deny

then I restarted the xinetd.

My Question:: IS THIS CORRECT?
I still have these little ba$tard$ in my logfiles.

How can I deny their subnet from being able to even TRY to login to my server?

thanks.
0
Comment
Question by:DBA_Frog
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 40

Expert Comment

by:jlevie
ID: 11753408
I'd do this by setting up an IPtables firewall that only allows ssh from safe hosts and other serverices that you might be running. If you use a default DENY stance for the INPUT chain you can explictly permit only those services needed and limit ssh to "safe hosts".
0
 
LVL 1

Expert Comment

by:robot3367
ID: 11768556
On my Debian box, sshd appears to be started from /etc/rc2.d not  via the inetd mechanism.

Are you sure you have ssh configured correctly. Only users that have sent you their public keys should be able to get in through that route if configrued to require this.

Maybe you have other ports open? Comment out all services from inetd.conf that you are (sure) you are not using.

You should be able to configure any cheapish hardware firewall to just accept ssh inwards connections - then tie down ssh with max security options.
0
 
LVL 40

Expert Comment

by:jlevie
ID: 11768888
> sshd appears to be started from /etc/rc2.d not  via the inetd

Which is normal for sshd and brings up the point that unless your copy of sshd was built with libwrap support you can't use hosts.allow/hosts.deny for access control. You can check for that by 'ldd /path-to/sshd'.
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
LVL 4

Accepted Solution

by:
marko020397 earned 1000 total points
ID: 11772141
Write them down into hosts.deny instead of hosts.allow. The syntax is the same as for hosts.allow. I would deny the numbers you wrote like this in hosts.deny.

sshd: 211.117.191., 193.145.87., 210.205.6., 211.104.106.
ssh: 211.117.191., 193.145.87., 210.205.6., 211.104.106.

This should do. I agree with jlevie that you should set up iptables as the first line of defense. The second line of defense is hosts.allow and hosts.deny.

The solution above for hosts.deny is not optimal. You should put "ALL:ALL" (everything except IPs from hosts.allow is denied) in hosts.deny and put only allowed IPs to hosts.allow.
0
 
LVL 1

Expert Comment

by:hazmatt81
ID: 11843184
Try using iptables instead of hosts.deny it will be much safer.

iptables -A INPUT -p tcp -s x.x.x.x -d 0/0 --destination-port 22 --syn -j DROP


Ultimately you may want to setup iptables to block ssh to anyone but select ip addresses where you will come from.

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -F INPUT
iptables -F FORWARD
iptables -F OUTPUT
iptables -F -t nat
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 20 --syn -j ACCEPT
# Add one of the above lines changing the destination-port for every service ANYONE should access such as web and smtp
iptables -A INPUT -p tcp -s x.x.x.x/24 -d 0/0 --destination-port 3306 --syn -j ACCEPT
# add one of the above lines changing the -s (source) ip and destination-ports for all services only YOU or SELECT individuals should be accessing.  You can use an IP as in x.x.x.x or subnet as in x.x.x.x/24

Put this in a script somewhere (ie a bash file) and run it on system startup.
0
 
LVL 4

Expert Comment

by:marko020397
ID: 11869501
You can use iptables AND hosts.deny and hosts.allow files.
0
 
LVL 12

Expert Comment

by:paullamhkg
ID: 11971051
jlevie and hazmatt81 gave you very good hints on using a firewall to handling the sshd, but if you really need to use the hosts.allow or hosts.deny you can try put the trusted host into your hosts.allow and put ALL:ALL in the hosts.deny

eg. in the hosts.deny

ALL:ALL

in the hosts.allow

sshd:10.0.0. (the hole subnet of 10.0.0 can access this linux box by ssh) or 10.0.0.1 (only this ip can access)

if it have mulitple ip 10.0.0.1,10.0.0.3 (only ip 10.0.0.1 and 10.0.0.3 can use the ssh to access this linux box)

so every other servies you also need to put into hosts.allow like pop3, imap etc... the system will read the hosts.deny to deny all service and allow following the hosts.allow.

But I totally agree with jlevie to use the iptable firewall which is much more safe and secure.

you can use the hosts.allow and host.deny at the begining if you are not familar with iptable or other type of fire wall, once you got know to the firewall stuff use the firewall instead

0

Featured Post

[Webinar] Lessons on Recovering from Petya

Skyport is working hard to help customers recover from recent attacks, like the Petya worm. This work has brought to light some important lessons. New malware attacks like this can take down your entire environment. Learn from others mistakes on how to prevent Petya like worms.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SSH (Secure Shell) - Tips and Tricks As you all know SSH(Secure Shell) is a network protocol, which we use to access/transfer files securely between two networked devices. SSH was actually designed as a replacement for insecure protocols that sen…
Linux users are sometimes dumbfounded by the severe lack of documentation on a topic. Sometimes, the documentation is copious, but other times, you end up with some obscure "it varies depending on your distribution" over and over when searching for …
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
Suggested Courses

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question