1 |
On Fri, Jan 23, 2009 at 3:34 PM, Paul Hartman |
2 |
<paul.hartman+gentoo@×××××.com> wrote: |
3 |
> On Fri, Jan 23, 2009 at 3:18 PM, Paul Hartman |
4 |
> <paul.hartman+gentoo@×××××.com> wrote: |
5 |
>> On Fri, Jan 23, 2009 at 2:22 PM, Paul Hartman |
6 |
>> <paul.hartman+gentoo@×××××.com> wrote: |
7 |
>>> On Tue, Jan 20, 2009 at 3:33 PM, Paul Hartman |
8 |
>>> <paul.hartman+gentoo@×××××.com> wrote: |
9 |
>>>> Hi, |
10 |
>>>> |
11 |
>>>> After setting up public key authentication i changed my sshd back to |
12 |
>>>> port 22 and got the expected bombardment of connection attempts. |
13 |
>>>> However, it doesn't seem to ever stop them. I'm using sshd with this |
14 |
>>>> setting: |
15 |
>>>> |
16 |
>>>> MaxAuthTries 3 |
17 |
>>>> |
18 |
>>>> in my /etc/ssh/sshd_config |
19 |
>>> [cut] |
20 |
>>> |
21 |
>>> Okay, I have some possible new embarrassing information... as well as |
22 |
>>> some new questions about access control. After combining all logs in |
23 |
>>> chronological order, it appears denyhosts IS properly adding the new |
24 |
>>> host to /etc/hosts.deny but it is simply not causing it to be |
25 |
>>> denied... See this sample: |
26 |
>>> |
27 |
>>> Jan 22 18:42:58 [sshd] Invalid user staff from 59.185.104.218 |
28 |
>>> Jan 22 18:43:01 [sshd] Invalid user sales from 59.185.104.218 |
29 |
>>> Jan 22 18:43:03 [sshd] Invalid user recruit from 59.185.104.218 |
30 |
>>> Jan 22 18:43:06 [denyhosts] Added the following hosts to |
31 |
>>> /etc/hosts.deny - 59.185.104.218 |
32 |
>>> (triband-mum-59.185.104.218.mtnl.net.in) |
33 |
>>> Jan 22 18:43:06 [sshd] Invalid user alias from 59.185.104.218 |
34 |
>>> Jan 22 18:43:09 [sshd] Invalid user office from 59.185.104.218 |
35 |
>>> Jan 22 18:43:11 [sshd] Invalid user samba from 59.185.104.218 |
36 |
>>> Jan 22 18:43:14 [sshd] Invalid user tomcat from 59.185.104.218 |
37 |
>>> Jan 22 18:43:22 [sshd] Invalid user webadmin from 59.185.104.218 |
38 |
>>> |
39 |
>>> So now I am going back to what I should have looked at in the very |
40 |
>>> beginning, my hosts.allow and hosts.deny rules. |
41 |
>>> |
42 |
>>> hosts.allow: |
43 |
>>> sshd: ALL |
44 |
>>> portmap: 127.0.0.1, 192.168.0.0/255.255.255.0 |
45 |
>>> lockd: 127.0.0.1, 192.168.0.0/255.255.255.0 |
46 |
>>> rquotad: 127.0.0.1, 192.168.0.0/255.255.255.0 |
47 |
>>> mountd: 127.0.0.1, 192.168.0.0/255.255.255.0 |
48 |
>>> statd: 127.0.0.1, 192.168.0.0/255.255.255.0 |
49 |
>>> ALL: 127.0.0.1, 192.168.0.0/255.255.255.0 |
50 |
>>> |
51 |
>>> |
52 |
>>> hosts.deny: |
53 |
>>> ALL: ALL |
54 |
>>> sshd: 58.213.125.25 |
55 |
>>> sshd: 75.37.250.107 |
56 |
>>> sshd: 147.83.29.83 |
57 |
>>> sshd: 59.185.104.218 |
58 |
>>> sshd: 210.40.128.31 |
59 |
>>> (and so on) |
60 |
>>> |
61 |
>>> From the manpage: |
62 |
>>> |
63 |
>>> ACCESS CONTROL FILES |
64 |
>>> The access control software consults two files. The search |
65 |
>>> stops at the first match: |
66 |
>>> - Access will be granted when a (daemon,client) pair |
67 |
>>> matches an entry in the /etc/hosts.allow file. |
68 |
>>> - Otherwise, access will be denied when a (daemon,client) |
69 |
>>> pair matches an entry in the /etc/hosts.deny file. |
70 |
>>> - Otherwise, access will be granted. |
71 |
>>> |
72 |
>>> doh! So, basically, when it sees sshd: ALL in hosts.allow, it stops |
73 |
>>> and allows access to everyone. It never even gets around to checking |
74 |
>>> the hosts.deny file. The fact that the login attempts stopped after |
75 |
>>> about an hour must have been purely coincidence. |
76 |
>>> |
77 |
>>> My intended purpose for those entires was to allow all sshd unless |
78 |
>>> they are in the deny file, but I also want to deny everything else |
79 |
>>> that doesn't have an explicit allow/deny rule. I don't think this is |
80 |
>>> possible using hosts.allow/hosts.deny unless I enumerate every |
81 |
>>> service. The deny ALL: ALL will deny me access to sshd. |
82 |
>>> |
83 |
>>> I essentially want it to work the other way around. Deny access by |
84 |
>>> default unless there is an allow rule. I don't think I can do that, |
85 |
>>> though. If I put ALL: ALL or sshd: ALL in the hosts.deny file, it will |
86 |
>>> deny ME access to my own machine. I don't want that. Since I don't |
87 |
>>> have a specific IP i will connect from, I can't allow any specific IP |
88 |
>>> (or else I'd be doing it that way already). |
89 |
>>> |
90 |
>>> How can I accomplish this?: |
91 |
>>> |
92 |
>>> Allow all ssh connections unless they are in hosts.deny |
93 |
>>> Deny all other connections unless they are in hosts.allow |
94 |
>>> |
95 |
>>> Thanks and sorry for the misdirection :) |
96 |
>>> Paul |
97 |
>>> |
98 |
>> |
99 |
>> After reading more, I see there is an EXCEPT rule as well.. so I can |
100 |
>> theoretically deny: |
101 |
>> |
102 |
>> ALL: ALL EXCEPT sshd |
103 |
>> and hopefully that will do what I was wanting... time to try it :) |
104 |
> |
105 |
> Sorry, i made a typo in my email. |
106 |
> |
107 |
> ALL EXCEPT sshd: ALL |
108 |
> |
109 |
> Tested and working. |
110 |
> |
111 |
> Paul |
112 |
> |
113 |
|
114 |
As a follow-up, using the fixed hosts.allow/deny rules & denyhosts |
115 |
with sync server enabled, it's working great. The majority of ssh |
116 |
connections are being blocked by the denyhosts data, and my own ssh |
117 |
connections are still working fine. :) |
118 |
|
119 |
I still plan to experiment with the more exotic approaches like |
120 |
iptables & portknocking but for now the simple hosts.deny method is |
121 |
working okay. |
122 |
|
123 |
thanks to all, |
124 |
Paul |