Aragorn <stryder@telenet.invalid> writes:

>On Saturday 24 September 2005 05:36, Blake stood up and spoke the
>following words to the masses in /alt.os.linux.gentoo...:/

>> Hello,
>>
>> I am running Gentoo on my home machine, which is on a DSL connection.
>> The Actiontec modem has a built-in firewall, which is turned on. I
>> use SSH to connect to my machine from work, which means I have
>> forwarded port 22 from the firewall to my home machine.
>>
>> I want to make sure that nobody else can connect via SSH, so I want to
>> limit connections to only those coming from my workplace
>> (company.com).
>>
>> I set up hosts.allow like this:
>>
>> SSH: .company.com
>> SSHD: .company.com
>> SSH: 16.95.25.53
>> SSHD: 16.95.25.53

Fine. That means that those can come in. However, there is no program
called SSH or SSHD. There is a program called sshd. Unix is case sensitive.

But this says absolutely nothing about what to do with other addresses.
host.allow is searched first. IF a host is listed there it is allowed. Then
host.deny is searched. If a host is listed there it is denied. If neither
says anything, then the address is allowed.



>I think you need to read the /man/ pages more carefully...:

> man hosts.allow

>or

> man hosts.deny

Good advice.


>> (Names/IP's have been changed, and I used both SSH and SSHD because I
>> wasn't sure which one is right, and it takes a day to change the file
>> and try it again.)

A day? A day? Are you changing it by passenger pigeon?

>>
>> In any case, this all works, but I see attackers trying to log in when
>> I look at the sshd log:
>>
>>
>> log-2005-09-21-18:38:39:Sep 20 01:10:36 [sshd] Invalid user work from
>> 82.226.215.139
>> log-2005-09-21-18:38:39:Sep 20 01:10:38 [sshd] Invalid user cyborg
>> from 82.226.215.139
>> log-2005-09-21-18:38:39:Sep 20 01:10:40 [sshd] Invalid user cyborg
>> from 82.226.215.139
>> log-2005-09-21-18:38:39:Sep 20 01:10:43 [sshd] Invalid user cyborg
>> from 82.226.215.139
>>
>> My question is this: Shouldn't the hosts.allow rules block this
>> invalid attacker from even attempting to get into SSH? I thought the
>> hosts.allow config would drop the connection before sshd got involved.

For sshd, it is sshd which looks at the hosts. files. Ie, sshd is already
involved.
IF you start sshd from xinet then xinet first checks the hosts. files.


>> Obviously I am misunderstanding how this all works.

>*/etc/hosts.allow* is read first, and then */etc/hosts.deny* is
>processed, which you left empty. But there is an easier way to
>disallow them from logging in over /ssh./


>Look at the manual for the /sshd/ daemon, as follows...

> man sshd_config

>You can restrict access to login names, groups, hostnames, etc.

Access was denied. That is not the problem. His problem was that it was
entered into the log files, and worrying him. A little script run once a
minute to empty the log file would also work.
Leaving aside the levity, it did point out that his hosts. files are
misconfigured. Make sure that you put
ALL:ALL
into /etc/hosts.deny.
That means all services and all sources are denied unless they are listed
in hosts.allow.



>> I don't have a hosts.deny file. Does that mean that everyone is
>> allowed to access everything? [...]

>Yes, it does, or at least, in theory...

>Hope this helps! ;-)

>--
>With kind regards,

>*Aragorn*
>(Registered Gnu/Linux user # 223157)