On Tue, Jan 20, 2009 at 3:33 PM, Paul Hartman
<paul.hartman+gen...@gmail.com> wrote:
> Hi,
>
> After setting up public key authentication i changed my sshd back to
> port 22 and got the expected bombardment of connection attempts.
> However, it doesn't seem to ever stop them. I'm using sshd with this
> setting:
>
> MaxAuthTries 3
>
> in my /etc/ssh/sshd_config
[cut]
Okay, I have some possible new embarrassing information... as well as
some new questions about access control. After combining all logs in
chronological order, it appears denyhosts IS properly adding the new
host to /etc/hosts.deny but it is simply not causing it to be
denied... See this sample:
Jan 22 18:42:58 [sshd] Invalid user staff from 59.185.104.218
Jan 22 18:43:01 [sshd] Invalid user sales from 59.185.104.218
Jan 22 18:43:03 [sshd] Invalid user recruit from 59.185.104.218
Jan 22 18:43:06 [denyhosts] Added the following hosts to
/etc/hosts.deny - 59.185.104.218
(triband-mum-59.185.104.218.mtnl.net.in)
Jan 22 18:43:06 [sshd] Invalid user alias from 59.185.104.218
Jan 22 18:43:09 [sshd] Invalid user office from 59.185.104.218
Jan 22 18:43:11 [sshd] Invalid user samba from 59.185.104.218
Jan 22 18:43:14 [sshd] Invalid user tomcat from 59.185.104.218
Jan 22 18:43:22 [sshd] Invalid user webadmin from 59.185.104.218
So now I am going back to what I should have looked at in the very
beginning, my hosts.allow and hosts.deny rules.
hosts.allow:
sshd: ALL
portmap: 127.0.0.1, 192.168.0.0/255.255.255.0
lockd: 127.0.0.1, 192.168.0.0/255.255.255.0
rquotad: 127.0.0.1, 192.168.0.0/255.255.255.0
mountd: 127.0.0.1, 192.168.0.0/255.255.255.0
statd: 127.0.0.1, 192.168.0.0/255.255.255.0
ALL: 127.0.0.1, 192.168.0.0/255.255.255.0
hosts.deny:
ALL: ALL
sshd: 58.213.125.25
sshd: 75.37.250.107
sshd: 147.83.29.83
sshd: 59.185.104.218
sshd: 210.40.128.31
(and so on)
>From the manpage:
ACCESS CONTROL FILES
The access control software consults two files. The search
stops at the first match:
- Access will be granted when a (daemon,client) pair
matches an entry in the /etc/hosts.allow file.
- Otherwise, access will be denied when a (daemon,client)
pair matches an entry in the /etc/hosts.deny file.
- Otherwise, access will be granted.
doh! So, basically, when it sees sshd: ALL in hosts.allow, it stops
and allows access to everyone. It never even gets around to checking
the hosts.deny file. The fact that the login attempts stopped after
about an hour must have been purely coincidence.
My intended purpose for those entires was to allow all sshd unless
they are in the deny file, but I also want to deny everything else
that doesn't have an explicit allow/deny rule. I don't think this is
possible using hosts.allow/hosts.deny unless I enumerate every
service. The deny ALL: ALL will deny me access to sshd.
I essentially want it to work the other way around. Deny access by
default unless there is an allow rule. I don't think I can do that,
though. If I put ALL: ALL or sshd: ALL in the hosts.deny file, it will
deny ME access to my own machine. I don't want that. Since I don't
have a specific IP i will connect from, I can't allow any specific IP
(or else I'd be doing it that way already).
How can I accomplish this?:
Allow all ssh connections unless they are in hosts.deny
Deny all other connections unless they are in hosts.allow
Thanks and sorry for the misdirection :)
Paul
