SEO

Hello,

I am running Gentoo on my home machine, which is on a DSL connection. The
Actiontec modem has a built-in firewall, which is turned on. I use SSH to
connect to my machine from work, which means I have forwarded port 22 from
the firewall to my home machine.

I want to make sure that nobody else can connect via SSH, so I want to limit
connections to only those coming from my workplace (company.com).

I set up hosts.allow like this:

SSH: .company.com
SSHD: .company.com
SSH: 16.95.25.53
SSHD: 16.95.25.53

(Names/IP's have been changed, and I used both SSH and SSHD because I wasn't
sure which one is right, and it takes a day to change the file and try it
again.)

In any case, this all works, but I see attackers trying to log in when I
look at the sshd log:


log-2005-09-21-18:38:39:Sep 20 01:10:36 [sshd] Invalid user work from
82.226.215.139
log-2005-09-21-18:38:39:Sep 20 01:10:38 [sshd] Invalid user cyborg from
82.226.215.139
log-2005-09-21-18:38:39:Sep 20 01:10:40 [sshd] Invalid user cyborg from
82.226.215.139
log-2005-09-21-18:38:39:Sep 20 01:10:43 [sshd] Invalid user cyborg from
82.226.215.139

My question is this: Shouldn't the hosts.allow rules block this invalid
attacker from even attempting to get into SSH? I thought the hosts.allow
config would drop the connection before sshd got involved. Obviously I am
misunderstanding how this all works.

I don't have a hosts.deny file. Does that mean that everyone is allowed to
access everything? The man page is not super clear to me.

Thanks,

Blake

On Saturday 24 September 2005 05:36, Blake stood up and spoke the
following words to the masses in /alt.os.linux.gentoo...:/

> Hello,
>
> I am running Gentoo on my home machine, which is on a DSL connection.
> The Actiontec modem has a built-in firewall, which is turned on. I
> use SSH to connect to my machine from work, which means I have
> forwarded port 22 from the firewall to my home machine.
>
> I want to make sure that nobody else can connect via SSH, so I want to
> limit connections to only those coming from my workplace
> (company.com).
>
> I set up hosts.allow like this:
>
> SSH: .company.com
> SSHD: .company.com
> SSH: 16.95.25.53
> SSHD: 16.95.25.53

I think you need to read the /man/ pages more carefully...:

man hosts.allow

or

man hosts.deny

> (Names/IP's have been changed, and I used both SSH and SSHD because I
> wasn't sure which one is right, and it takes a day to change the file
> and try it again.)
>
> In any case, this all works, but I see attackers trying to log in when
> I look at the sshd log:
>
>
> log-2005-09-21-18:38:39:Sep 20 01:10:36 [sshd] Invalid user work from
> 82.226.215.139
> log-2005-09-21-18:38:39:Sep 20 01:10:38 [sshd] Invalid user cyborg
> from 82.226.215.139
> log-2005-09-21-18:38:39:Sep 20 01:10:40 [sshd] Invalid user cyborg
> from 82.226.215.139
> log-2005-09-21-18:38:39:Sep 20 01:10:43 [sshd] Invalid user cyborg
> from 82.226.215.139
>
> My question is this: Shouldn't the hosts.allow rules block this
> invalid attacker from even attempting to get into SSH? I thought the
> hosts.allow config would drop the connection before sshd got involved.
> Obviously I am misunderstanding how this all works.

*/etc/hosts.allow* is read first, and then */etc/hosts.deny* is
processed, which you left empty. But there is an easier way to
disallow them from logging in over /ssh./

Look at the manual for the /sshd/ daemon, as follows...

man sshd_config

You can restrict access to login names, groups, hostnames, etc.

> I don't have a hosts.deny file. Does that mean that everyone is
> allowed to access everything? [...]

Yes, it does, or at least, in theory...

Hope this helps! ;-)

--
With kind regards,

*Aragorn*
(Registered Gnu/Linux user # 223157)

Blake <bleverett@pants.att.net> wrote:

>
> I set up hosts.allow like this:
>
> SSH: .company.com
> SSHD: .company.com
> SSH: 16.95.25.53
> SSHD: 16.95.25.53

First of all, Linux is, like all Unix-like operating systems, case
sensitive for file/service names. sshd is not the same as SSHD.

Secondly, was sshd compiled with tcpd support? Add "tcpd" to your USE
flags and do an "emerge --update --deep --newuse world".

For a rule that might work, try this:

sshd : 16.95.25.23/255.255.255.255, .company.com : ALLOW

> (Names/IP's have been changed, and I used both SSH and SSHD because I
> wasn't sure which one is right, and it takes a day to change the file
> and try it again.)

Neither is right. sshd is.

> My question is this: Shouldn't the hosts.allow rules block this
> invalid attacker from even attempting to get into SSH? I thought the
> hosts.allow config would drop the connection before sshd got
> involved. Obviously I am misunderstanding how this all works.

If sshd had been an inetd service, that would have been true. In those
cases, inetd passes control to tcpd, which drops the connection or
starts the service, depending on the success of the matching.
In the case of non-inetd services with tcpd support, they handle the
connection themselves, and hang up if hosts.{allow|deny} disallows it.
However, since they know about the connection, they might also log it.

> I don't have a hosts.deny file. Does that mean that everyone is
> allowed to access everything? The man page is not super clear to me.

If you are using the third field with the keywords ALLOW or DENY, you
only need hosts.allow
If not, you need to specify what you don't allow in hosts.deny, or have
a default there that denies everything.

Better yet,

Regards,
--
*Art

Blake wrote:

> Hello,
>
> I am running Gentoo on my home machine, which is on a DSL connection. The
> Actiontec modem has a built-in firewall, which is turned on. I use SSH to
> connect to my machine from work, which means I have forwarded port 22 from
> the firewall to my home machine.
>
> I want to make sure that nobody else can connect via SSH, so I want to
> limit connections to only those coming from my workplace (company.com).
>
> I set up hosts.allow like this:
>
> SSH: .company.com
> SSHD: .company.com
> SSH: 16.95.25.53
> SSHD: 16.95.25.53
>
> (Names/IP's have been changed, and I used both SSH and SSHD because I
> wasn't sure which one is right, and it takes a day to change the file and
> try it again.)
>
> In any case, this all works, but I see attackers trying to log in when I
> look at the sshd log:
>
>
> log-2005-09-21-18:38:39:Sep 20 01:10:36 [sshd] Invalid user work from
> 82.226.215.139
> log-2005-09-21-18:38:39:Sep 20 01:10:38 [sshd] Invalid user cyborg from
> 82.226.215.139
> log-2005-09-21-18:38:39:Sep 20 01:10:40 [sshd] Invalid user cyborg from
> 82.226.215.139
> log-2005-09-21-18:38:39:Sep 20 01:10:43 [sshd] Invalid user cyborg from
> 82.226.215.139
>
> My question is this: Shouldn't the hosts.allow rules block this invalid
> attacker from even attempting to get into SSH? I thought the hosts.allow
> config would drop the connection before sshd got involved. Obviously I am
> misunderstanding how this all works.
>
> I don't have a hosts.deny file. Does that mean that everyone is allowed
> to
> access everything? The man page is not super clear to me.
>
> Thanks,
>
> Blake

A couple of things I have done. Limit access to only users that need it.
Also, you can limit access by group. One other thing you might try is to
have sshd listen on a non-standard port, don't allow login as root, and
limit login time to 30 seconds. I use webmin for configuration.

good luck,

Bigbob

Aragorn <stryder@telenet.invalid> writes:

>On Saturday 24 September 2005 05:36, Blake stood up and spoke the
>following words to the masses in /alt.os.linux.gentoo...:/

>> Hello,
>>
>> I am running Gentoo on my home machine, which is on a DSL connection.
>> The Actiontec modem has a built-in firewall, which is turned on. I
>> use SSH to connect to my machine from work, which means I have
>> forwarded port 22 from the firewall to my home machine.
>>
>> I want to make sure that nobody else can connect via SSH, so I want to
>> limit connections to only those coming from my workplace
>> (company.com).
>>
>> I set up hosts.allow like this:
>>
>> SSH: .company.com
>> SSHD: .company.com
>> SSH: 16.95.25.53
>> SSHD: 16.95.25.53

Fine. That means that those can come in. However, there is no program
called SSH or SSHD. There is a program called sshd. Unix is case sensitive.

But this says absolutely nothing about what to do with other addresses.
host.allow is searched first. IF a host is listed there it is allowed. Then
host.deny is searched. If a host is listed there it is denied. If neither
says anything, then the address is allowed.



>I think you need to read the /man/ pages more carefully...:

> man hosts.allow

>or

> man hosts.deny

Good advice.


>> (Names/IP's have been changed, and I used both SSH and SSHD because I
>> wasn't sure which one is right, and it takes a day to change the file
>> and try it again.)

A day? A day? Are you changing it by passenger pigeon?

>>
>> In any case, this all works, but I see attackers trying to log in when
>> I look at the sshd log:
>>
>>
>> log-2005-09-21-18:38:39:Sep 20 01:10:36 [sshd] Invalid user work from
>> 82.226.215.139
>> log-2005-09-21-18:38:39:Sep 20 01:10:38 [sshd] Invalid user cyborg
>> from 82.226.215.139
>> log-2005-09-21-18:38:39:Sep 20 01:10:40 [sshd] Invalid user cyborg
>> from 82.226.215.139
>> log-2005-09-21-18:38:39:Sep 20 01:10:43 [sshd] Invalid user cyborg
>> from 82.226.215.139
>>
>> My question is this: Shouldn't the hosts.allow rules block this
>> invalid attacker from even attempting to get into SSH? I thought the
>> hosts.allow config would drop the connection before sshd got involved.

For sshd, it is sshd which looks at the hosts. files. Ie, sshd is already
involved.
IF you start sshd from xinet then xinet first checks the hosts. files.


>> Obviously I am misunderstanding how this all works.

>*/etc/hosts.allow* is read first, and then */etc/hosts.deny* is
>processed, which you left empty. But there is an easier way to
>disallow them from logging in over /ssh./


>Look at the manual for the /sshd/ daemon, as follows...

> man sshd_config

>You can restrict access to login names, groups, hostnames, etc.

Access was denied. That is not the problem. His problem was that it was
entered into the log files, and worrying him. A little script run once a
minute to empty the log file would also work.
Leaving aside the levity, it did point out that his hosts. files are
misconfigured. Make sure that you put
ALL:ALL
into /etc/hosts.deny.
That means all services and all sources are denied unless they are listed
in hosts.allow.



>> I don't have a hosts.deny file. Does that mean that everyone is
>> allowed to access everything? [...]

>Yes, it does, or at least, in theory...

>Hope this helps! ;-)

>--
>With kind regards,

>*Aragorn*
>(Registered Gnu/Linux user # 223157)

Unruh wrote:

> Aragorn <stryder@telenet.invalid> writes:
>
>>I think you need to read the /man/ pages more carefully...:
>
>> man hosts.allow
>
>>or
>
>> man hosts.deny
>
> Good advice.


I did read the man pages, but there were no examples of actual services, and
the keywords that were in there were all uppercase (wildcards). I do now
see that the name used is the argv[0] value, which would be sshd.


>>> (Names/IP's have been changed, and I used both SSH and SSHD because I
>>> wasn't sure which one is right, and it takes a day to change the file
>>> and try it again.)
>
> A day? A day? Are you changing it by passenger pigeon?

Almost. I go to work, and try to log in to my home machine. If it doesn't
work, I can't drive home to change the file. I get home that night and
change the config files.


> Access was denied. That is not the problem. His problem was that it was
> entered into the log files, and worrying him. A little script run once a
> minute to empty the log file would also work.
> Leaving aside the levity, it did point out that his hosts. files are
> misconfigured. Make sure that you put
> ALL:ALL
> into /etc/hosts.deny.
> That means all services and all sources are denied unless they are listed
> in hosts.allow.

Very funny.

I am not nearly as incompetent as my original posting makes me seem. I just
don't do that much with networking/security, and I usually can figure these
things out on my own, but it was a real pain having to wait another day to
see if it worked.

Thanks to everyone for the advice. I think I know what to do now.

Blake

On Sun, 25 Sep 2005, Blake wrote:

> Unruh wrote:
>
>> Aragorn <stryder@telenet.invalid> writes:
>>
>>> I think you need to read the /man/ pages more carefully...:
>>
>>> man hosts.allow
>>
>>> or
>>
>>> man hosts.deny
>>
>> Good advice.
>
>
> I did read the man pages, but there were no examples of actual services, and
> the keywords that were in there were all uppercase (wildcards). I do now
> see that the name used is the argv[0] value, which would be sshd.
>
>
>>>> (Names/IP's have been changed, and I used both SSH and SSHD because I
>>>> wasn't sure which one is right, and it takes a day to change the file
>>>> and try it again.)
>>
>> A day? A day? Are you changing it by passenger pigeon?
>
> Almost. I go to work, and try to log in to my home machine. If it doesn't
> work, I can't drive home to change the file. I get home that night and
> change the config files.
>
>
>> Access was denied. That is not the problem. His problem was that it was
>> entered into the log files, and worrying him. A little script run once a
>> minute to empty the log file would also work.
>> Leaving aside the levity, it did point out that his hosts. files are
>> misconfigured. Make sure that you put
>> ALL:ALL
>> into /etc/hosts.deny.
>> That means all services and all sources are denied unless they are listed
>> in hosts.allow.
>
> Very funny.
>
> I am not nearly as incompetent as my original posting makes me seem. I just
> don't do that much with networking/security, and I usually can figure these
> things out on my own, but it was a real pain having to wait another day to
> see if it worked.
>
> Thanks to everyone for the advice. I think I know what to do now.

How about looking at IPTABLES/NETFILTER to control access to sshd?

Whoever wrote:

> How about looking at IPTABLES/NETFILTER to control access to sshd?

I have something like
-A INPUT -p tcp -m tcp --dport 22 -m limit --limit 1/minute --limit-burst 3
-j ACCEPT

This prevented a lot of break-in attempts.

But maybe there is a better rule...

Whoever wrote:

>
> How about looking at IPTABLES/NETFILTER to control access to sshd?

I used to use shorewall, but now I'd rather let the DSL Modem be the
firewall. Using hosts.allow/.deny works pretty well. I still get a line
in the sshd logfile saying "refused connect from 83.216.196.2", but at
least it didn't let them try a password out.

Blake

Blake wrote:

> Whoever wrote:
>
>>
>> How about looking at IPTABLES/NETFILTER to control access to sshd?
>
> I used to use shorewall, but now I'd rather let the DSL Modem be the
> firewall. Using hosts.allow/.deny works pretty well. I still get a line
> in the sshd logfile saying "refused connect from 83.216.196.2", but at
> least it didn't let them try a password out.
>
> Blake

I've always wondered, is a hardware firewall sufficient, or should I use a
software firewall as well?

Bigbob