Re: [PLUG] denyhosts not blocking some ssh attempts

Sat, 16 Jan 2010 16:05:58 -0800 

On Tue, Jan 13, 2009 at 9:24 AM, Rich Shepard <[email protected]> wrote:
>   Allowing only a limited number of user names to connect via ssh works for
> us because there are fewer than a handful of names. For my edification, is
> it impractical to maintain /etc/hosts.allow when there are many users on the
> network?

FWIW, we use /etc/ssh/sshd_config + /etc/group to handle users and
/etc/hosts.allow to handle IPs and hostnames.

For example, we created the group sshdusers:

$ sudo addgroup --system sshdusers

then added users to the group sshdusers:

$ user=${USER}
$ sudo usermod -a -G sshdusers $user

then added this line to /etc/ssh/sshd_config:

$ sudo grep AllowGroups /etc/ssh/sshd_config
AllowGroups sshdusers

and restarted sshd:

$ sudo /etc/init.d/ssh restart

If there are a large number of machines, then you may want to consider
using NIS or LDAP.

>   Second question that comes from this discussion is the relative advantages
> of hosts.allow and hosts.deny. It would be nice to have someone clarify the
> differences for me.

In brief, (from "man hosts_access") the rules are this:

1) tcpwrappers stops on the first match
2) it checks hosts.allow first
3) it checks hosts.deny second
4) if no match, defaults to allow

However, you can get away with just the /etc/hosts.allow file.  In
addition, you can use a separate file containing a list of hostnames,
IP addresses, or patterns.  For example:

$ sudo tail -n +1 /etc/hosts.* | grep -v '^#'
==> /etc/hosts.allow <==
ALL : /etc/hosts.allow.list
ALL : /etc/hosts.deny.list : DENY

==> /etc/hosts.allow.list <==
127.0.0.0/29

==> /etc/hosts.deny <==

==> /etc/hosts.deny.list <==
127.0.0.2

In the above example setup, ssh will work from the localhost to all
127.0.0.x IP addresses except, 127.0.0.2.  That's because, of two
reasons:

1) 127.0.0.2 does not match 127.0.0.0/29 in the allow file
2) 127.0.0.2 does match 127.0.0.2 in the deny file

All other 127.0.0.x IP addresses do work because the default is to
allow all.  To change the default behaviour to deny, replace the last
line with this line in /etc/hosts.allow:

ALL : ALL : DENY

With that change, all IPs 127.0.0.{1,3..7} IP addresses will work, but
all others will be denied, including 127.0.0.2.

HTH.  Good luck and let us know how things works for you.

Regards,
- Robert
_______________________________________________
PLUG mailing list
[email protected]
http://lists.pdxlinux.org/mailman/listinfo/plug

Reply via email to