Sshd ignores /etc/hosts.allow and /etc/hosts.deny

Hello everyone,
I've just found out that sshd ignores /etc/hosts.allow and /etc/hosts.deny completely on my machine. It doesn't make use of tcp_wrappers. I am using the standard Arch package. Either my settings are wrong, or this is a severe security problem. It was a terrible surprise to find out that my server is under severe dictionary attacks all the time, despite the denyhosts script I am using.
These are my settings:
/etc/hosts.deny:
ALL: ALL
/etc/hosts.allow:
# some nfs daemons: 192.168.1.0/255.255.255.0
sshd sshd1 sshd2: ALL EXCEPT /etc/hosts.evil
mysqld: 192.168.1.0/255.255.255.0
/etc/hosts.evil:
195.113.21.131
60.10.6.53
A simple experiment to verify the settings:
[[email protected] etc]# tcpdmatch -d -i /etc/xinetd.conf sshd 195.113.21.131
warning: sshd: no such process name in /etc/xinetd.conf
client: address 195.113.21.131
server: process sshd
matched: hosts.deny line 5
access: denied
[[email protected] etc]# tcpdmatch -d -i /etc/xinetd.conf sshd 195.113.21.130
warning: sshd: no such process name in /etc/xinetd.conf
client: address 195.113.21.130
server: process sshd
matched: hosts.allow line 10
access: granted
This seems to be fine. But when I go to the machine 195.113.21.131, I can simply log in with no trouble at all.
This is really strange. Does it have something to do with the xinetd warning? I am not using xinetd... Maybe I'm doing something wrong. If you have experienced such a trouble, please give me a hint.

elasticdog wrote:So should our package not have the ListenAddress 0.0.0.0 line uncommented by default?  My guess would be that since it listens on all local addresses by default, we're just overwriting that when specifying 0.0.0.0, which isn't valid.  That was users don't have to specify their local IP address.  Unless I'm wrong, shouldn't this be a bug/feature request for the packager?
This doesn't seem to be a package bug... IMHO, sshd must respect all the settings in hosts.deny and hosts.allow, regardless the IP address it listens on. The behaviour I noticed seems to be much more complicated. Basic settings (daemon name mentioned in hosts.*) worked, as far as I didn't want a "per IP" configuration. For example, including the daemon in hosts.allow really enabled remote connections, but any closer specifications (subdomains, EXCEPT operator...) were ignored. Access was simply granted without further evaluation. Excluding sshd from hosts.allow worked as one would assume. When I specified ListenAddress, everything started to work properly. This is mysterious. There are millions of computers using tcp wrappers and ssh, so it's hard to believe there could be a bug.

Similar Messages

  • [SOLVED] how do hosts.allow and hosts.deny work?

    I understand the basic concepts of hosts.allow and hosts.deny, but I am interested in how it works.  What actually blocks access to the services?  Do they do it themselves?  Or it is something in the kernel that does it?
    For example, if I have this in my hosts.allow:
    sshd:all
    #mysqld: all
    And this is my hosts.deny:
    ALL: ALL: DENY
    This will result in people being able to connect to sshd but not mysqld.  Are sshd and mysqld programmed to read these hosts.allow and hosts.deny files?  Or is there something stopping the connection before it even gets to the daemon?
    The hosts.allow and hosts.deny man pages refer to tcpd, but it is not running on my system.  Also, hosts.allow and hosts.deny never show up in the output of `lsof`.  hosts.allow and hosts.deny belong to the tcp_wrappers package, but there is nothing else in the package that illuminates my question.
    Last edited by partner55083777 (2010-03-15 12:35:51)

    Thanks guys.
    However most common network service daemons today can be linked against libwrap directly.
    Sure enough,
    $ ldd /usr/sbin/sshd
        linux-vdso.so.1 =>  (0x00007123451ff000)
        libwrap.so.0 => /usr/lib/libwrap.so.0 (0x00007fffbd6d000)
        libpam.so.0 => /lib/libpam.so.0 (0x00007f99765f1000)
    $
    Here is also a little bit more information about libwrap:
    http://en.wikipedia.org/wiki/Libwrap
    Last edited by partner55083777 (2010-03-15 20:03:11)

  • Daemons for hosts.allow and hosts.deny?

    I want to use hosts.allow and hosts.deny to restrict access to my servers, but I'm not sure what daemons to use in the config files for services like remote desktop or server admin. Is there any way to specify those services? Can you do it with port numbers instead of service names (man 5 hosts_access wasn't very clear to me).
    For services like http and ssh, its a no-brainer, but I can't figure out the Apple specific stuff.
    Thanks,
    Miles
    11 G4 XServes...   Mac OS X (10.4.5)  

    If you are referring to the python script, "denyhosts" that works in conjunction with xinetd, this simply works under 10.3.x, I've used it once successfully. It needs to be configured correctly, but it does work. Did not try it with 10.4, but...
    the far better option is described by Leland.

  • How to get the "host printer" and "destination host" as part of spad output

    Hi ..
    If i run the spad tcode and then i choose one printer, i see 4 folders: Device Attributes, Access Method, Output Attributes and Tray Info.
    if i go to Devicess attributes i see: Device Type, Spool Server, Host, Device Class, Model, location , Message, lock printer in sap system.
    If i go to Access Method i see the fields: Host Spool Access Method, Host Printer and Destination Host.
    I am creating a report that needs the information mixed between the folder Device Type and Access Method folder
    If i run spad tcode and enter "*" in Output devices i see only some of the fields i need but i need to see other fields that are contained into Access Method folder, this means, i need the complete report of all printers i have in my system with this fields:
    Device Attribute - Output device   (spad - entering "*")
    Device Attribute - Spool Server (spad - entering "*")
    Device Attribute - Location or message  (spad - entering "*")
    Device Attribute - Lock printer in SAP system (i do not see it if i run spad and choose all "*")
    Access Method - Host Printer  (i do not see it if i run spad and choose all "*")
    Access Method - Destination Host  (i do not see it if i run spad and choose all "*")
    Access Method - Do not Query Host Spooler for Output Status.  (i do not see it if i run spad and choose all "*")
    Could you please le tme know how can i get the output of all the devices (printers) i have in my system with the above fields showed?
    Thanks in advance.
    Sapskystars.

    As far as I can read you can find all that info in table TSP03D
    Regards
    Juan

  • Setting global umask via NSUmask or /etc/launchd.conf and /etc/launchd-user.conf broken?

    The procedure to change the default global umask from 0022 to 0002, so that most files created by one user on a machine will be read-write by other users in the same group, seems to have been broken or to have been changed in OS X Lion from OS X Snow Leopard.  What worked as far back as OS X 10.4 and was officially documented was done from Terminal: "defaults write /Library/Preferences/.GlobalPreferences NSUmask 2" (with a sudo, if not logged in as 'root').
    Another way documented in various places and which I actually used through OS X 10.6 was also done via Terminal. Two files were created: /etc/launchd.conf (for system-wide global umask) or /etc/launchd-user.conf (for user-specific global umask).  The contents of each were simply the single umask command, "umask 002" or ("umask u=rwx,g=rwx,o=rx", I can't remember which variant I used - they're functionally the same, though).
    No matter which method I use, the 2nd or the 1st, the global umask no longer changes.
    Does anyone know whether this has been deliberately hobbled under OS X Lion, requiring purchase of OS X Lion Server?  Is this an OS X Lion bug?  Or, am I looking at something wrong?

    See this support article, which was written for OS X Server, but seems applicable to  Mac OS X client versions as well:
    Mac OS X Server v10.5, 10.6: Setting a custom umask
    The excerpt below describes the use of /etc/launchd-user.conf, and strongly cautions against using /etc/launchd.conf.
    Umask for user applications
    In Mac OS X v10.5.3 and later, you can create the file /etc/launchd-user.conf with the contents "umask nnn". Do not include the quotation marks and replace nnn with the desired umask value, such as 027 or 002.
    This will set the user's umask for all applications they launch, such as Finder, TextEdit, or Final Cut Pro, and control the permissions set on new files created by any of these applications.
    Umask for system processes
    In Mac OS X v10.4 and later, create the file /etc/launchd.conf with the contents "umask nnn". Do not include the quotation marks and replace nnn with the desired umask value, such as 027 or 002.
    This will set the umask for all processes. Changing this value is strongly discouraged because it changes the permissions on files used by the system software. If the permissions are too restrictive, dependent software may not work. If the permissions are too open, they may introduce security issues.

  • [SOLVED] grub2 recreate /etc/default/grub and /etc/grub.d

    I made lot of changes on /etc/default/grub so i decided to remove it along with the /etc/grub.d/* to start from scratch. I thought that after reinstalling grub-bios package these files will be automatically recreated. But I wasn't right. How can I get them recreated?
    Last edited by dummyan (2012-08-25 19:06:29)

    Found the solution, files are actually included in grub-common package. Marking as solved.

  • /etc/hosts.allow versus iptables/firewall?

    What's the relation between the /etc/hosts.allow and /etc/hosts.deny files, on the one hand, and a host firewall on the other? If I'm going to configure iptables on a machine, is there any point to having any non-trivial rules in /etc/hosts.allow and /etc/hosts.deny too? Or should I just set them to let everything connect and do all my configuration through iptables?
    (Well, really, I'm going to use some iptables-for-dummies tool like ufw or firehol.)

    I cannot agree that hosts.{allow,deny} are 'a lot more basic' They're different from iptables, they work on different level and offer different capabilities, but it would be much harder with iptables to grant/deny access according to:
    - ident lookup
    - NIS netgroup
    - domain name
    - consistent ip->name and name->ip mapping
    and so on; man 5 hosts_access and man hosts_options contain some examples. On the actions side, in addition to granting or denying access, arbitrary command can be run in parallel or instead of called service, with some useful informations about connection available as %variables.
    Tcp_wrappers do not have to be called by protected service itself; they can be used with everything that uses TCP and can be run via (x)inetd, with a little help from tcpd(8).
    I prefer iptables myself (no use in letting unwanted traffic pass any further than strictly necessary), but tcp_wrappers make a really nice and useful complementary solution.

  • Hosts.allow option spawn parameter not work

    Hi,
    I would like to use BlockHosts and spawn it with spawn keyword from hosts:allow, but option parameter does nothing for me.
    I tried several configurations with different sshd entries and results are below
    hosts.deny:
    ALL:ALL:DENY
    With hosts.allow:
    sshd:ALL
    I can connect to sshd.
    With hosts.allow:
    sshd:ALL:DENY
    I can still connect to sshd. But I do not know why.
    With hosts.allow:
    sshd:ALL:spawn (echo "some tries to log" >> /var/tmp/sshd.tmp)
    I can connect but nothing is written to temporary log file.
    With empty hosts:allow I cannot connect to sshd.
    I cannot find any clue, from man entry everything seems clear, but it does not work as it is written in doc.
    Thanks,
    Ondra
    Last edited by xnovako2 (2010-02-20 16:53:23)

    the Access files are read in order of /etc/hosts.allow, and /etc/hosts.deny
    by default, /etc/hosts.deny contains ALL:ALL:DENY, only the first two are important, then third DENY is the placeholder for shell scripts, only the first two are considered, so ALL:ALL means that all daemons for all connections will not be allowed access, you can specifically add a specific service like sshd using sshd:ALL in /etc/hosts.allow to allow access.
    sshd:ALL:DENY, the DENY part is the place where you should put the location of your shell script (absolute path), writing DENY will not deny it access
    http://linux.die.net/man/5/hosts.allow
    use the above link for a complete help on this.

  • How to use the hosts.allow option in Directory Server?

    I would like to limit access to a directory server instance to localhost. I see in the Directory Server Control Center that there is an option to do this with a hosts.allow and/or hosts.deny file.
    What do I enter as the service name for the instance in the hosts.allow file?
    Thank you.

    See:
    http://docs.sun.com/app/docs/doc/820-2491/6ne3dhdgt?l=en&a=view#gcwym
    And perhaps more useful:
    http://docs.sun.com/app/docs/doc/820-2495/6ne3hbg4j?l=en&a=view
    This feature is basically an app-specific instance of TCP wrappers, so look up "TCP wrappers" in your favorite search engine for more.

  • Set Forwarder mail between hosting company and MS online exchange

    Hello,
    This is Dharam from Ahmedabad, I can be contacted on 9638208855 ([email protected]).
    I wants to use ms online exchange for some of users in my company. I have 10 users having mail ids with hosting company and 2 users are having exchange plan with other company by forwarding mails to particular link on 123together.com
    Yesterday, i have signup for free 365 account for 1 month, as i am expected to buy only mail exchange plan for 5 users but after getting my requirements.
    I have set the forwarder to mail id i am able to receive through the [email protected] on all application of mail such as on desktop, mobile, owa etc... but while i am replying to those users its using id [email protected]
    which can be used by [email protected] which my domain and forwarded to online exchange services.
    As my boss is having exchange plan with 123together.com i have observed that they are using forwarder and same thing but receiving and sending mail from [email protected] on all the application of mail, they didn't even asked for domain setup.
    So i want to clear some my confusion before to proceed for the paid services, that can i able to serve this service for some users and some can be able to use the existing one without exchange on the hosting company by forwarding some users to online exchange.
    I hope to hear more from you.
    Dharam Kappadiya.
    9638208855

    Hi Matthew,
    Thanks for the reply,
    My concern is i don't want to transfer my whole domain to MS Online Exchange just wants to create Account and wants to set forwarder to my [email protected] from MS to etc... and from hosting company i have to set forwarder for [email protected]
    to [email protected] whatever the id has been created.
    So is it possible to do this because while setting up an account users its asking for DNS MX Record and TXT, which is for the whole domain users and i don't wants to do than.
    So Please guide me before i can go somewhere else.

  • Tcp wrappers /etc/hosts.allow format

    since most of the services that were originally run from
    the /etc/inet/inetd.conf file on pre-Solaris 10 systems
    are now run from smf, what are the "in.*" service names
    that should be placed in the /etc/hosts.allow file?
    also is there a "safe_finger" available for use that can
    be used in the /etc/hosts.deny file or should the
    "standard" Solaris 10 finger be used?
    Thanks

    elasticdog wrote:So should our package not have the ListenAddress 0.0.0.0 line uncommented by default?  My guess would be that since it listens on all local addresses by default, we're just overwriting that when specifying 0.0.0.0, which isn't valid.  That was users don't have to specify their local IP address.  Unless I'm wrong, shouldn't this be a bug/feature request for the packager?
    This doesn't seem to be a package bug... IMHO, sshd must respect all the settings in hosts.deny and hosts.allow, regardless the IP address it listens on. The behaviour I noticed seems to be much more complicated. Basic settings (daemon name mentioned in hosts.*) worked, as far as I didn't want a "per IP" configuration. For example, including the daemon in hosts.allow really enabled remote connections, but any closer specifications (subdomains, EXCEPT operator...) were ignored. Access was simply granted without further evaluation. Excluding sshd from hosts.allow worked as one would assume. When I specified ListenAddress, everything started to work properly. This is mysterious. There are millions of computers using tcp wrappers and ssh, so it's hard to believe there could be a bug.

  • Oracle 11gR2 RAC VM and SCAN and DNS and /etc/hosts (two) setup questions

    Hi,
    I am looking forward to setting up two Oracle 11gR2 RAC instances
    on my Oracle VM test machine.
    I plan on using the Oracle 11gR2 RAC VM template.
    I want the final Oracle 11gR2 RAC instances to have SCAN that uses DNS.
    The DNS will be pre-installed in the JeOS.
    My first simple question about the setup is the following.
    In my DNS name file, for example,
    /var/named/chroot/var/named/milkyway.univ.db
    do I need to provide the racnode1 and racnode2 information,
    for example,
    # DNS name file (snippet)
    myjeos IN A 192.168.1.150
    racnode1 IN A 192.168.1.161
    racnode1-vip IN A 192.168.1.163
    racnode2 IN A 192.168.1.162
    racnode2-vip IN A 192.168.1.164
    rac-scan IN A 192.168.1.131
    rac-scan IN A 192.168.1.132
    rac-scan IN A 192.168.1.133
    Or, can I just provide only the rac-scan information
    # DNS name file alternate (snippet)
    myjeos IN A 192.168.1.150
    rac-scan IN A 192.168.1.131
    rac-scan IN A 192.168.1.132
    rac-scan IN A 192.168.1.133
    What I am getting at is the following.
    Within the install process, will racnode1, racnode1-vip, racnode2,
    and racnode2-vip host names and their IP address be written
    to the RAC instances /etc/hosts files? (So I should not bother
    to put them in the DNS name file like '# DNS name file alternate (snippet)'?)
    Or, should I put the racnode and racnode-vip host names and IP addresses
    in the DNS name file like '# DNS name file (snippet)'?
    The second question is the following.
    Are the cluster name and the scan name allowed to be different?
    Currently, I would plan them to be different,
    for example, rac-cluster and rac-scan.
    Or, are they required to be the same,
    for example, rac-cluster and rac-cluster.
    Thank you.
    AIM

    AIM wrote:
    do I need to provide the racnode1 and racnode2 information,
    Or, can I just provide only the rac-scan information You need to provide all of it in DNS, because other hosts in your network will need to be able to resolve all of the normal, VIP and SCAN addresses for your RAC nodes. We write this data out to /etc/hosts just to reduce the amount of round-trip DNS requests the cluster nodes make for themselves.
    Are the cluster name and the scan name allowed to be different?They can be different.

  • Entry in /etc/hosts.allow for insecure VNC?

    I read the ssh wiki article which teaches to add an entry to /etc/hosts.allow for sshd.  I am know that tunneling vnc through sshd is the way to go security wise, however, there are cases where I need to switch on un-encrypted vnc for the purposes of sharing my X11 session with family members.  Anyway, my question deals with an entry in the /etc/hosts.allow for gnome's desktop sharing (which is vnc as I understand it).  Does anyone know the syntax to allow vnc for any incoming connection (default port of 5900).
    I have tried:
    vino: ALL
    Xvnc: ALL
    X11vnc: ALL
    None of which worked.
    Thanks!

    when I don't know what's the name of the process listening to specific port, I always execute
    netstat -tnlp
    to get the proper processes' names.

  • Syntax of ip ranges in /etc/hosts.allow

    How does one define a range of IP addresses in the /etc/hosts.allow?  Pasted from the ssh wiki article
    # let everyone connect to you
    sshd: ALL
    # OR you can restrict it to a certain ip
    sshd: 192.168.0.1
    # OR restrict for an IP range
    sshd: 10.0.0.0/255.255.255.0
    # OR restrict for an IP match
    sshd: 192.168.1.
    If I just want 192.168.1.2 - 192.168.1.10 (inclusive), what would the syntax be for this?
    192.168.1.2/192.168.1.10 didn't work for me.
    Thanks.

    You can't do this on a single line AFAIK since .2 to .10 doesn't fit in any valid CIDR mask. You will need to add a line for each host individually:
    sshd: 192.168.1.2
    sshd: 192.168.1.3
    sshd: 192.168.1.4
    sshd: 192.168.1.5
    sshd: 192.168.1.6
    sshd: 192.168.1.7
    sshd: 192.168.1.8
    sshd: 192.168.1.9
    sshd: 192.168.1.10
    Technically there are multiple /30 masks that fit within that, but you'd still have to have multiple lines.
    Last edited by fukawi2 (2009-06-06 22:45:26)

  • DHCP Reservation Sync and DNS Host record sync etc shown in IPAM GUI

    Hello all,
    I am aware of the scripts in the TechNet script center to sync DHCP leases etc to IPAM, however my question is about something else -
    If you highlight an IP address (IP address inventory->select an IP), You can see fields that say: "DHCP reservation sync", "DNS PTR record sync" and "DNS host record sync" as below:
    I was curious as to what these are for. Is there some built-in sync functionality for these that I perhaps have not enabled? (Don't see such options any where..)
    thanks,
    -Ravi

    Hi  Ravi ,
    The three columns tell us the information of the synchronization between IPAM server and DNS server (or DHCP server) .
    Here is the detailed guide for using IPAM :
    Using the IPAM Client Console :
    https://technet.microsoft.com/en-us/library/jj878351.aspx#inventory
    IPAM can sync DNS and DHCP records .
    The IPAM database is separate from DHCP and DNS servers on our network ,and full synchronization of hosts and IP addresses between IPAM and managed DNS or DHCP servers does not occur automatically
    unless we have configured automated tasks to perform this synchronization .
    For detailed information ,see
    DNS and DHCP record synchronization chapter in the following link :
    Multi-server Management :
    https://technet.microsoft.com/en-us/library/jj878329.aspx
    Best Regards,
    Leo
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

Maybe you are looking for

  • Oracle 11g -select on dictionary view hangs

    Hi Experts, I have issued the below query and it's hanging for a long time. SQL> select * from gv$session where rownum<=1; Could you please someone shed light on this issue? Regards, Richard Edited by: user12075620 on May 16, 2011 8:44 PM

  • Acrobat and Reader Version Issues

    Hi, I've created a PDF porffolio made up of several PDFs. When I view the PDF portfolio at the "top level" (where you see names of the individual PDFs on top of a window that looks like it should show the first page of the PDF) all it says in the win

  • My tab groups are not being saved

    Spend ages setting up groups but they're never there next time I open FireFox. What am I doing wrong??

  • How to connect theUSB-6009 with Matlab?

    Hello, I have a project to. For this project I have to send signal from Matlab to the USB-6009. After the signal go trough a filter and come back to the USB-6009, so I also have to recieve informations to Matlab from the USB-6009. Is there anybody wh

  • Freezes macbook pro retina exit from Sleep mode

    When exiting sleep every morning watching the following: http://www.youtube.com/watch?v=l72co2yHBCw What to do? (MacBook Pro (Retina, 15-inch, Late 2013), OS X Mavericks (10.9.1)