Do you have a question? Post it now! No Registration Necessary. Now with pictures!
- Posted on
- Nicole Harvey
October 1, 2003, 5:29 pm
rate this thread
IPV6 support from ftp.playgroung.sun.com and used the same to compile
openssh3.7p2 on solaris 8 box. I am not starting sshd out of inetd but
compiled ssh with tcp wrapper support.
Every thing looks good except that It doesnt disallow connections from
hosts other than listed in /etc/hosts.allow. it allows connections
from any host.
the syntax I am using for /etc/hosts.allow is
ALL : IP/FQDN : allow (for 5/6 hosts)
ALL : ALL :deny(last line)
The permissions on both the files are 644 and root:other. I tried
restarting sshd and it doesnt help. My inetd.conf is commented out
almost completely. Am I missing something here?
Re: tcp wrappers 7.6 with IPV6 support && Open SSH 3.7 p2 on solaris 8
I think it's seeing the ALL in allow and letting in everything. I depend
on those files, but I use a bit diff. version (Linux / Slackware / xinetd )
I run lots of services and am on the Internet 24x7, my policy defaults
to allow, which is what you get if a host doesn't match any line in the
files. As soon as a host matches one line, the search ends, the
authorization is preformed, and the rest of the files aren't looked at .
This is different from auth files like Apache, were both are searched.
So, hosts hit the ALL:ALL in hosts.allow and that's it. Again, mine
works like that, mostly yours will too. Example, let in everyone except
FTP-ABUSER.COM, TELNET-ABUSER.COM, ALL-ABUSER.COM (default allow policy
;what I use)
# Blank, nothing here
For a default deny policy (only hosts you say), example:
Let in MY-FRIEND.NET, FRIEND.ONLY.WANTS.FTP.COM,
SOMEONE.ELSE.JUST.TELNETS.ORG, ban everyone else
Where proftpd= FTP daemon's name, telnetd= telnet daemon's name etc...
There are ways of combining both access lists into one (I think) but
that seems more complex, this is nice and simple, and easy to add or
subtract from. Also, I've had to ban entire TLD's and it works well this
way. Hope this helps....
- jayjwa 4 Spammers: mailto: firstname.lastname@example.org
The New Atr2. PGP/GPG Keys onsite
"Why do all the noob's use RedHat,
speak 4th grade English,
and cry because their X server crashed?"
Send HTTP1.1 GET to /cgi-bin/ping-jay.cgi, my domain, 2 mail
==Atr2.Ath.Cx: Linux Tough, Powered by Slackware.=============
- » ssh on command line: force using a group size (prime size) of 1024 (and no...
- — Newest thread in » Secure Shell Forum