please help about host.deny
- Thread starter boymissu
- Start date
ballyn
Verified User
You'll need to configure ssh to use xinetd (and not run as a daemon) if you want to use tcp wrappers (host.allow and host.deny) AFAIK. In general, I wouldn't recommend this.
SSH is already pretty secure with the DA configurations, and if your IP happens to change, you'll have no way to access the machine.
If you really want to restrict access to certain IPs for ssh, I'd suggest doing it at the firewall.
SSH is already pretty secure with the DA configurations, and if your IP happens to change, you'll have no way to access the machine.
If you really want to restrict access to certain IPs for ssh, I'd suggest doing it at the firewall.
nobaloney
NoBaloney Internet Svcs - In Memoriam †
I don't know if you can protect sshd with hosts.deny or not because I haven't tested it to see if it's compiled in.
Have you, Ballyn?
If the sshd has support for hosts.deny built it, it would be the ideal way to protect it from login attempts from unwanted IP#s.
However, because your IP# could change at any time (such as your connection fails and you have to login from a dialup account) I do NOT recommending protecting ssh from specific IP#s.
And in that, you're certainly correct.
Jeff
Have you, Ballyn?
If the sshd has support for hosts.deny built it, it would be the ideal way to protect it from login attempts from unwanted IP#s.
However, because your IP# could change at any time (such as your connection fails and you have to login from a dialup account) I do NOT recommending protecting ssh from specific IP#s.
And in that, you're certainly correct.
Jeff
Why dont you use iptables??
Also for more security you can edit sshd_config
and say PermitRootLogin no, so you can use an other account to login and after that type su - and become root.
Code:
iptables -P INPUT ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 22 ! -s xxx.xxx.xxx.xxx/xx -j DROPAlso for more security you can edit sshd_config
and say PermitRootLogin no, so you can use an other account to login and after that type su - and become root.
nobaloney
NoBaloney Internet Svcs - In Memoriam †
Adding to iptables manually isn't going to do much because the IP#s change often, and by the time you've blocked one the attackers will have moved on two or three times already.
You can get prompt blocking by installing the APF firewall (search for it in these forums), but even then by the time it reacts the attackers will probably move on.
While you may feel better if you block them, the best defense is still to disallow root from ssh, and to use secure passwords.
Blocking them with APF will give you a whole new set of log entries, and reports on them as well.
Jeff
You can get prompt blocking by installing the APF firewall (search for it in these forums), but even then by the time it reacts the attackers will probably move on.
While you may feel better if you block them, the best defense is still to disallow root from ssh, and to use secure passwords.
Blocking them with APF will give you a whole new set of log entries, and reports on them as well.
Jeff
I suggest to install BFD (Brute Force Detection) its a great project, free and works with iptables , its my choise!
nobaloney
NoBaloney Internet Svcs - In Memoriam †
Thanks for the pointer Klaus,
What I should have written is "APF with BFD". They're from the same developer and install and work together.
Jeff
What I should have written is "APF with BFD". They're from the same developer and install and work together.
Jeff
