Confused about tcp_wrappers and sshd
Robert Locke
lists at ralii.com
Wed Aug 24 18:53:03 UTC 2005
On Wed, 2005-08-24 at 13:40 -0500, STYMA, ROBERT E (ROBERT) wrote:
> >
> > On 8/24/05, STYMA, ROBERT E (ROBERT) <stymar at lucent.com> wrote:
> > > I just retested on FC3. The ssh that comes
> > > with the standard repos does honor the
> > > /etc/hosts.allow and /etc/hosts.deny files.
> > > I am not real familiar with the HOSTDENY program,
> > > but if it updates /etc/hosts.deny, ssh will
> > > honor it. The tcpwrappers program also checks
> > > /etc/hosts.deny and /etc/hosts.allow.
> > >
> > > You can easily test this by hand.
> >
> > What I did was the following:
> >
> > (I am logged in via ssh on a remote host.)
> >
> > 1. Open /etc/hosts.deny
> > 2. Add a line that reads "sshd: 127.0.0.1"
> > 3. Save and exit
> > 4. 'service sshd restart'
> > 5. 'ssh localhost'
> >
> > The document I linked to earlier says I should get the following
> > message "ssh_exchange_identification: Connection closed by remote
> > host". Instead I just get a new RSA key fingerprint message.
> >
> > Am I doing something wrong or is there another way to test it?
> >
> >
> 1. As an aside, you do not have to restart sshd when you update
> /etc/hosts.deny and /etc/hosts.allow.
> 2. /etc/hosts.allow is looked at first. Make sure it does not
> have something in it to allow 127.0.0.1
> 3. Check the /var/log/messages and /var/log/secure to see what IP
> the system thought was connecting.
> 4. Try this.
> Note that changing /etc/hosts.allow and /etc/hosts.deny does
> not affect ssh connections which are already established.
> a. Put the IP address of the machine you are ssh'ing in from
> originally in the /etc/hosts.deny file and save.
> b. Try to ssh in from from another window. It should be
> deny'ed.
> c. Take the IP out before you log off of the first session.
>
And a 5th wildcard, make sure that the name localhost actually refers to
the loopback adapter 127.0.0.1 when you were doing an "ssh localhost".
Personally, you could just try a line that says "sshd: ALL" in
the /etc/hosts.deny file to block everything in case it tries to get
smart and go through your physical interface instead of lo.... And as
recommended make sure there is nothing in /etc/hosts.allow that would
allow this connection....
--Rob
More information about the fedora-list
mailing list