hosts.allow

GL1800 · #1 13th September 2006, 09:22 PM

OK, I read and read, and try this and that, not working yet. I want to ALLOW a specific IP address access to my ssh. I am running denyhosts.py normally, and I don't want to get rid of it. I have to put that IP addy in /etc/hosts.allow to let him in. However, I can't get it right, as root keeps getting a denyhosts report that he has been banned from the server. What's the thing I don't understand, here, please?

u-noneinc-s · #2 13th September 2006, 09:46 PM

It might help if you posted your hosts.allow so someone could see if it was correct, but here's mine (secured of course)

Code:

#
# hosts.allow   This file describes the names of the hosts which are
#               allowed to use the local INET services, as decided
#               by the '/usr/sbin/tcpd' server.
#
sshd : 127.0.0.1 xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy

. I don't use denyhosts, so I can't say whether or not the 2 are compatable. I use /etc/hosts.deny instead

Code:

#
# hosts.deny    This file describes the names of the hosts which are
#               *not* allowed to use the local INET services, as decided
#               by the '/usr/sbin/tcpd' server.
#
# The portmap line is redundant, but it is left to remind you that
# the new secure portmap uses hosts.deny and hosts.allow.  In particular
# you should know that NFS uses portmap!
sshd : ALL

.With this, I believe the deny script is read first, and sshd : ALL denies everyone ssh access unless specifically permitted by /etc/hosts.allow

a thing · #3 14th September 2006, 01:17 AM

^IIRC everything not specified in hosts.allow is blocked by default.

The problem isn't hosts.allow, it's that the SSH configuration is set to deny logging in as root. It should do that, it makes it more secure. Without being able to log in directly as root via SSH, you have to use whatever authentication is set up for SSH and then use su, so you have to know two passwords.

If you're not using public key cryptography for SSH right now, you should start. I made a how to on that here.

u-noneinc-s · #4 14th September 2006, 01:26 AM

a thing: Thanks for the clarification.
GL1800: is the user trying to log in as root or as his_username?

jhetrick62 · #5 14th September 2006, 02:55 AM

I do run denyhosts. I believe that u-noneinc-s is correct. If you have ALL: sshd in hosts.deny, then all hosts not listed in hosts.allow will be locked out. The hosts.allow file if read first. If a match is found, then it stops and allows the host. If no match is found, then the hosts.deny is found. If no match is found there, the host is allowed access unless such as root, it is specifically banned in the sshd_config file which it is by defuault.

Denyhosts will add a host to the hosts.deny list when they have failed to log-in correctly "x" number of times within a short period of time or possibly "x" number of times before a successful login. I believe that I have mine set for 3 bad attempts in 10 minutes. If a successful one comes in, it then resets the counter.

This blocks the script-kiddies pretty well as long as you have strong passwords.

I like it.

Jeff

GL1800 · #6 14th September 2006, 12:13 PM

Yes, the man page makes clear it reads .allow first. If found, no need to read .deny. The user is not trying to log in as root, but as a user. How's this?
#
# hosts.allow This file describes the names of the hosts which are
# allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#
SSHD : 24.99.XX.XX

markkuk · #7 14th September 2006, 01:56 PM

The hosts.allow file is case sensitive, so it's "sshd" not "SSHD".

GL1800 · #8 14th September 2006, 01:58 PM

AHHHH!!! OK, I corrected that, and thank you!