On Fri, Jan 23, 2009 at 2:22 PM, Paul Hartman <[email protected]> wrote: > On Tue, Jan 20, 2009 at 3:33 PM, Paul Hartman > <[email protected]> wrote: >> Hi, >> >> After setting up public key authentication i changed my sshd back to >> port 22 and got the expected bombardment of connection attempts. >> However, it doesn't seem to ever stop them. I'm using sshd with this >> setting: >> >> MaxAuthTries 3 >> >> in my /etc/ssh/sshd_config > [cut] > > Okay, I have some possible new embarrassing information... as well as > some new questions about access control. After combining all logs in > chronological order, it appears denyhosts IS properly adding the new > host to /etc/hosts.deny but it is simply not causing it to be > denied... See this sample: > > Jan 22 18:42:58 [sshd] Invalid user staff from 59.185.104.218 > Jan 22 18:43:01 [sshd] Invalid user sales from 59.185.104.218 > Jan 22 18:43:03 [sshd] Invalid user recruit from 59.185.104.218 > Jan 22 18:43:06 [denyhosts] Added the following hosts to > /etc/hosts.deny - 59.185.104.218 > (triband-mum-59.185.104.218.mtnl.net.in) > Jan 22 18:43:06 [sshd] Invalid user alias from 59.185.104.218 > Jan 22 18:43:09 [sshd] Invalid user office from 59.185.104.218 > Jan 22 18:43:11 [sshd] Invalid user samba from 59.185.104.218 > Jan 22 18:43:14 [sshd] Invalid user tomcat from 59.185.104.218 > Jan 22 18:43:22 [sshd] Invalid user webadmin from 59.185.104.218 > > So now I am going back to what I should have looked at in the very > beginning, my hosts.allow and hosts.deny rules. > > hosts.allow: > sshd: ALL > portmap: 127.0.0.1, 192.168.0.0/255.255.255.0 > lockd: 127.0.0.1, 192.168.0.0/255.255.255.0 > rquotad: 127.0.0.1, 192.168.0.0/255.255.255.0 > mountd: 127.0.0.1, 192.168.0.0/255.255.255.0 > statd: 127.0.0.1, 192.168.0.0/255.255.255.0 > ALL: 127.0.0.1, 192.168.0.0/255.255.255.0 > > > hosts.deny: > ALL: ALL > sshd: 58.213.125.25 > sshd: 75.37.250.107 > sshd: 147.83.29.83 > sshd: 59.185.104.218 > sshd: 210.40.128.31 > (and so on) > > From the manpage: > > ACCESS CONTROL FILES > The access control software consults two files. The search > stops at the first match: > - Access will be granted when a (daemon,client) pair > matches an entry in the /etc/hosts.allow file. > - Otherwise, access will be denied when a (daemon,client) > pair matches an entry in the /etc/hosts.deny file. > - Otherwise, access will be granted. > > doh! So, basically, when it sees sshd: ALL in hosts.allow, it stops > and allows access to everyone. It never even gets around to checking > the hosts.deny file. The fact that the login attempts stopped after > about an hour must have been purely coincidence. > > My intended purpose for those entires was to allow all sshd unless > they are in the deny file, but I also want to deny everything else > that doesn't have an explicit allow/deny rule. I don't think this is > possible using hosts.allow/hosts.deny unless I enumerate every > service. The deny ALL: ALL will deny me access to sshd. > > I essentially want it to work the other way around. Deny access by > default unless there is an allow rule. I don't think I can do that, > though. If I put ALL: ALL or sshd: ALL in the hosts.deny file, it will > deny ME access to my own machine. I don't want that. Since I don't > have a specific IP i will connect from, I can't allow any specific IP > (or else I'd be doing it that way already). > > How can I accomplish this?: > > Allow all ssh connections unless they are in hosts.deny > Deny all other connections unless they are in hosts.allow > > Thanks and sorry for the misdirection :) > Paul >
After reading more, I see there is an EXCEPT rule as well.. so I can theoretically deny: ALL: ALL EXCEPT sshd and hopefully that will do what I was wanting... time to try it :)
