1 |
On Tue, Jan 20, 2009 at 3:33 PM, Paul Hartman |
2 |
<paul.hartman+gentoo@×××××.com> wrote: |
3 |
> Hi, |
4 |
> |
5 |
> After setting up public key authentication i changed my sshd back to |
6 |
> port 22 and got the expected bombardment of connection attempts. |
7 |
> However, it doesn't seem to ever stop them. I'm using sshd with this |
8 |
> setting: |
9 |
> |
10 |
> MaxAuthTries 3 |
11 |
> |
12 |
> in my /etc/ssh/sshd_config |
13 |
[cut] |
14 |
|
15 |
Okay, I have some possible new embarrassing information... as well as |
16 |
some new questions about access control. After combining all logs in |
17 |
chronological order, it appears denyhosts IS properly adding the new |
18 |
host to /etc/hosts.deny but it is simply not causing it to be |
19 |
denied... See this sample: |
20 |
|
21 |
Jan 22 18:42:58 [sshd] Invalid user staff from 59.185.104.218 |
22 |
Jan 22 18:43:01 [sshd] Invalid user sales from 59.185.104.218 |
23 |
Jan 22 18:43:03 [sshd] Invalid user recruit from 59.185.104.218 |
24 |
Jan 22 18:43:06 [denyhosts] Added the following hosts to |
25 |
/etc/hosts.deny - 59.185.104.218 |
26 |
(triband-mum-59.185.104.218.mtnl.net.in) |
27 |
Jan 22 18:43:06 [sshd] Invalid user alias from 59.185.104.218 |
28 |
Jan 22 18:43:09 [sshd] Invalid user office from 59.185.104.218 |
29 |
Jan 22 18:43:11 [sshd] Invalid user samba from 59.185.104.218 |
30 |
Jan 22 18:43:14 [sshd] Invalid user tomcat from 59.185.104.218 |
31 |
Jan 22 18:43:22 [sshd] Invalid user webadmin from 59.185.104.218 |
32 |
|
33 |
So now I am going back to what I should have looked at in the very |
34 |
beginning, my hosts.allow and hosts.deny rules. |
35 |
|
36 |
hosts.allow: |
37 |
sshd: ALL |
38 |
portmap: 127.0.0.1, 192.168.0.0/255.255.255.0 |
39 |
lockd: 127.0.0.1, 192.168.0.0/255.255.255.0 |
40 |
rquotad: 127.0.0.1, 192.168.0.0/255.255.255.0 |
41 |
mountd: 127.0.0.1, 192.168.0.0/255.255.255.0 |
42 |
statd: 127.0.0.1, 192.168.0.0/255.255.255.0 |
43 |
ALL: 127.0.0.1, 192.168.0.0/255.255.255.0 |
44 |
|
45 |
|
46 |
hosts.deny: |
47 |
ALL: ALL |
48 |
sshd: 58.213.125.25 |
49 |
sshd: 75.37.250.107 |
50 |
sshd: 147.83.29.83 |
51 |
sshd: 59.185.104.218 |
52 |
sshd: 210.40.128.31 |
53 |
(and so on) |
54 |
|
55 |
From the manpage: |
56 |
|
57 |
ACCESS CONTROL FILES |
58 |
The access control software consults two files. The search |
59 |
stops at the first match: |
60 |
- Access will be granted when a (daemon,client) pair |
61 |
matches an entry in the /etc/hosts.allow file. |
62 |
- Otherwise, access will be denied when a (daemon,client) |
63 |
pair matches an entry in the /etc/hosts.deny file. |
64 |
- Otherwise, access will be granted. |
65 |
|
66 |
doh! So, basically, when it sees sshd: ALL in hosts.allow, it stops |
67 |
and allows access to everyone. It never even gets around to checking |
68 |
the hosts.deny file. The fact that the login attempts stopped after |
69 |
about an hour must have been purely coincidence. |
70 |
|
71 |
My intended purpose for those entires was to allow all sshd unless |
72 |
they are in the deny file, but I also want to deny everything else |
73 |
that doesn't have an explicit allow/deny rule. I don't think this is |
74 |
possible using hosts.allow/hosts.deny unless I enumerate every |
75 |
service. The deny ALL: ALL will deny me access to sshd. |
76 |
|
77 |
I essentially want it to work the other way around. Deny access by |
78 |
default unless there is an allow rule. I don't think I can do that, |
79 |
though. If I put ALL: ALL or sshd: ALL in the hosts.deny file, it will |
80 |
deny ME access to my own machine. I don't want that. Since I don't |
81 |
have a specific IP i will connect from, I can't allow any specific IP |
82 |
(or else I'd be doing it that way already). |
83 |
|
84 |
How can I accomplish this?: |
85 |
|
86 |
Allow all ssh connections unless they are in hosts.deny |
87 |
Deny all other connections unless they are in hosts.allow |
88 |
|
89 |
Thanks and sorry for the misdirection :) |
90 |
Paul |