Thread: Is my SSHD insecure?
View Single Post

   
  #2 (permalink)  
Old 02-21-2008, 10:30 AM
Aragorn
 
Posts: n/a
Default Re: Is my SSHD insecure?
On Saturday 24 September 2005 05:36, Blake stood up and spoke the
following words to the masses in /alt.os.linux.gentoo...:/

> Hello,
>
> I am running Gentoo on my home machine, which is on a DSL connection.
> The Actiontec modem has a built-in firewall, which is turned on. I
> use SSH to connect to my machine from work, which means I have
> forwarded port 22 from the firewall to my home machine.
>
> I want to make sure that nobody else can connect via SSH, so I want to
> limit connections to only those coming from my workplace
> (company.com).
>
> I set up hosts.allow like this:
>
> SSH: .company.com
> SSHD: .company.com
> SSH: 16.95.25.53
> SSHD: 16.95.25.53

I think you need to read the /man/ pages more carefully...:

man hosts.allow

or

man hosts.deny

> (Names/IP's have been changed, and I used both SSH and SSHD because I
> wasn't sure which one is right, and it takes a day to change the file
> and try it again.)
>
> In any case, this all works, but I see attackers trying to log in when
> I look at the sshd log:
>
>
> log-2005-09-21-18:38:39:Sep 20 01:10:36 [sshd] Invalid user work from
> 82.226.215.139
> log-2005-09-21-18:38:39:Sep 20 01:10:38 [sshd] Invalid user cyborg
> from 82.226.215.139
> log-2005-09-21-18:38:39:Sep 20 01:10:40 [sshd] Invalid user cyborg
> from 82.226.215.139
> log-2005-09-21-18:38:39:Sep 20 01:10:43 [sshd] Invalid user cyborg
> from 82.226.215.139
>
> My question is this: Shouldn't the hosts.allow rules block this
> invalid attacker from even attempting to get into SSH? I thought the
> hosts.allow config would drop the connection before sshd got involved.
> Obviously I am misunderstanding how this all works.

*/etc/hosts.allow* is read first, and then */etc/hosts.deny* is
processed, which you left empty. But there is an easier way to
disallow them from logging in over /ssh./

Look at the manual for the /sshd/ daemon, as follows...

man sshd_config

You can restrict access to login names, groups, hostnames, etc.

> I don't have a hosts.deny file. Does that mean that everyone is
> allowed to access everything? [...]

Yes, it does, or at least, in theory...

Hope this helps! ;-)

--
With kind regards,

*Aragorn*
(Registered Gnu/Linux user # 223157)
Reply With Quote