| 1 |
On Fri, Jan 23, 2009 at 2:22 PM, Paul Hartman |
| 2 |
<paul.hartman+gentoo@×××××.com> wrote: |
| 3 |
> On Tue, Jan 20, 2009 at 3:33 PM, Paul Hartman |
| 4 |
> <paul.hartman+gentoo@×××××.com> wrote: |
| 5 |
>> Hi, |
| 6 |
>> |
| 7 |
>> After setting up public key authentication i changed my sshd back to |
| 8 |
>> port 22 and got the expected bombardment of connection attempts. |
| 9 |
>> However, it doesn't seem to ever stop them. I'm using sshd with this |
| 10 |
>> setting: |
| 11 |
>> |
| 12 |
>> MaxAuthTries 3 |
| 13 |
>> |
| 14 |
>> in my /etc/ssh/sshd_config |
| 15 |
> [cut] |
| 16 |
> |
| 17 |
> Okay, I have some possible new embarrassing information... as well as |
| 18 |
> some new questions about access control. After combining all logs in |
| 19 |
> chronological order, it appears denyhosts IS properly adding the new |
| 20 |
> host to /etc/hosts.deny but it is simply not causing it to be |
| 21 |
> denied... See this sample: |
| 22 |
> |
| 23 |
> Jan 22 18:42:58 [sshd] Invalid user staff from 59.185.104.218 |
| 24 |
> Jan 22 18:43:01 [sshd] Invalid user sales from 59.185.104.218 |
| 25 |
> Jan 22 18:43:03 [sshd] Invalid user recruit from 59.185.104.218 |
| 26 |
> Jan 22 18:43:06 [denyhosts] Added the following hosts to |
| 27 |
> /etc/hosts.deny - 59.185.104.218 |
| 28 |
> (triband-mum-59.185.104.218.mtnl.net.in) |
| 29 |
> Jan 22 18:43:06 [sshd] Invalid user alias from 59.185.104.218 |
| 30 |
> Jan 22 18:43:09 [sshd] Invalid user office from 59.185.104.218 |
| 31 |
> Jan 22 18:43:11 [sshd] Invalid user samba from 59.185.104.218 |
| 32 |
> Jan 22 18:43:14 [sshd] Invalid user tomcat from 59.185.104.218 |
| 33 |
> Jan 22 18:43:22 [sshd] Invalid user webadmin from 59.185.104.218 |
| 34 |
> |
| 35 |
> So now I am going back to what I should have looked at in the very |
| 36 |
> beginning, my hosts.allow and hosts.deny rules. |
| 37 |
> |
| 38 |
> hosts.allow: |
| 39 |
> sshd: ALL |
| 40 |
> portmap: 127.0.0.1, 192.168.0.0/255.255.255.0 |
| 41 |
> lockd: 127.0.0.1, 192.168.0.0/255.255.255.0 |
| 42 |
> rquotad: 127.0.0.1, 192.168.0.0/255.255.255.0 |
| 43 |
> mountd: 127.0.0.1, 192.168.0.0/255.255.255.0 |
| 44 |
> statd: 127.0.0.1, 192.168.0.0/255.255.255.0 |
| 45 |
> ALL: 127.0.0.1, 192.168.0.0/255.255.255.0 |
| 46 |
> |
| 47 |
> |
| 48 |
> hosts.deny: |
| 49 |
> ALL: ALL |
| 50 |
> sshd: 58.213.125.25 |
| 51 |
> sshd: 75.37.250.107 |
| 52 |
> sshd: 147.83.29.83 |
| 53 |
> sshd: 59.185.104.218 |
| 54 |
> sshd: 210.40.128.31 |
| 55 |
> (and so on) |
| 56 |
> |
| 57 |
> From the manpage: |
| 58 |
> |
| 59 |
> ACCESS CONTROL FILES |
| 60 |
> The access control software consults two files. The search |
| 61 |
> stops at the first match: |
| 62 |
> - Access will be granted when a (daemon,client) pair |
| 63 |
> matches an entry in the /etc/hosts.allow file. |
| 64 |
> - Otherwise, access will be denied when a (daemon,client) |
| 65 |
> pair matches an entry in the /etc/hosts.deny file. |
| 66 |
> - Otherwise, access will be granted. |
| 67 |
> |
| 68 |
> doh! So, basically, when it sees sshd: ALL in hosts.allow, it stops |
| 69 |
> and allows access to everyone. It never even gets around to checking |
| 70 |
> the hosts.deny file. The fact that the login attempts stopped after |
| 71 |
> about an hour must have been purely coincidence. |
| 72 |
> |
| 73 |
> My intended purpose for those entires was to allow all sshd unless |
| 74 |
> they are in the deny file, but I also want to deny everything else |
| 75 |
> that doesn't have an explicit allow/deny rule. I don't think this is |
| 76 |
> possible using hosts.allow/hosts.deny unless I enumerate every |
| 77 |
> service. The deny ALL: ALL will deny me access to sshd. |
| 78 |
> |
| 79 |
> I essentially want it to work the other way around. Deny access by |
| 80 |
> default unless there is an allow rule. I don't think I can do that, |
| 81 |
> though. If I put ALL: ALL or sshd: ALL in the hosts.deny file, it will |
| 82 |
> deny ME access to my own machine. I don't want that. Since I don't |
| 83 |
> have a specific IP i will connect from, I can't allow any specific IP |
| 84 |
> (or else I'd be doing it that way already). |
| 85 |
> |
| 86 |
> How can I accomplish this?: |
| 87 |
> |
| 88 |
> Allow all ssh connections unless they are in hosts.deny |
| 89 |
> Deny all other connections unless they are in hosts.allow |
| 90 |
> |
| 91 |
> Thanks and sorry for the misdirection :) |
| 92 |
> Paul |
| 93 |
> |
| 94 |
|
| 95 |
After reading more, I see there is an EXCEPT rule as well.. so I can |
| 96 |
theoretically deny: |
| 97 |
|
| 98 |
ALL: ALL EXCEPT sshd |
| 99 |
and hopefully that will do what I was wanting... time to try it :) |
Archives