Hello,

I am running Gentoo on my home machine, which is on a DSL connection. The
Actiontec modem has a built-in firewall, which is turned on. I use SSH to
connect to my machine from work, which means I have forwarded port 22 from
the firewall to my home machine.

I want to make sure that nobody else can connect via SSH, so I want to limit
connections to only those coming from my workplace (company.com).

I set up hosts.allow like this:

SSH: .company.com
SSHD: .company.com
SSH: 16.95.25.53
SSHD: 16.95.25.53

(Names/IP's have been changed, and I used both SSH and SSHD because I wasn't
sure which one is right, and it takes a day to change the file and try it
again.)

In any case, this all works, but I see attackers trying to log in when I
look at the sshd log:


log-2005-09-21-18:38:39:Sep 20 01:10:36 [sshd] Invalid user work from
82.226.215.139
log-2005-09-21-18:38:39:Sep 20 01:10:38 [sshd] Invalid user cyborg from
82.226.215.139
log-2005-09-21-18:38:39:Sep 20 01:10:40 [sshd] Invalid user cyborg from
82.226.215.139
log-2005-09-21-18:38:39:Sep 20 01:10:43 [sshd] Invalid user cyborg from
82.226.215.139

My question is this: Shouldn't the hosts.allow rules block this invalid
attacker from even attempting to get into SSH? I thought the hosts.allow
config would drop the connection before sshd got involved. Obviously I am
misunderstanding how this all works.

I don't have a hosts.deny file. Does that mean that everyone is allowed to
access everything? The man page is not super clear to me.

Thanks,

Blake