|
|
|||
hosts.allow and hosts.deny
I just got SSH up and running on openBSD 4.9. My problem is that I am able to connect to SSH when I have my IP of 192.168.1.2/255.255.255.0 listed in the hosts.allow file.
When I add "ALL: ALL" to hosts.deny, I can not longer SSH into my box. I delete the hosts.deny file I can connect again with no problems. The error I get is as follows: "ssh_exchange_identification: Connection closed by remote host" Any ideas what is going on? Last edited by amrogers3; 9th November 2011 at 04:31 AM. |
|
|||
Quote:
192.168.1.2/255.255.255.0 I will check syslog but there is nothing in the file except the above. |
|
||||
My opion, FWIW:
SSH is designed for use on untrusted networks, including the Internet. You may notice that hosts_access(5) and related man pages are not mentioned in any of the SSH man pages. Generally, tcpd is not used with SSH. |
|
|||
Quote:
I read that hosts.allow need to see a new line character. So I went in and modified the file. Still locked out. I could not SSH in from 192.168.1.2 I added the following to the hosts.deny file and worked: Code:
ALL EXCEPT 192.168.1.2 I deleted the hosts.allow file and I can still SSH in from 192.168.1.4. This is not good. I restarted the SSHD process just to be sure and I can still log in from 192.168.1.4. Last edited by amrogers3; 9th November 2011 at 11:32 PM. Reason: correction |
|
|||
Agreed. I was trying to create an IP access list first. My next step was to enable public key authentication. However, how can I allow/disallow IP addresses?
What security steps would you recommend besides enabling public key encryption, disallowing hosts/password based authentication? Thanks again for the replies. |
|
||||
While I don't use hosts_access myself, something you wrote above just caught my eye:
Quote:
OK. I'm going to take a wild guess that you have done some manual edit gyrations with your hosts.* files to add control characters, and that is the root cause of your problem. Text editors (vi, mg, emacs, vim, ... and the bazillion X-based ones) on Unix-like systems will automatically place newline bytes at the end of a line. As will echo(1), typically used with > or >> in a shell to put text in a file. It's just a guess, of course. ------ Now, I don't use hosts_access. Never have, never will. If I want to filter any packets, in -or- out, by IP address, I use PF. That is common practice, best practice, and my recommendation. PF is most commonly used when OpenBSD is deployed as a router/firewall, but you can use it on destination servers and on workstations. The PF User's Guide, which is part of the FAQ, starts here. ------ There are many choices for authentication. Both Pubic Key and Challenge/Response (used with s/key) are enabled by default, and I use both. I prefer PKA, because with SSH it is easy and simple to use. As an example, with OpenSSH's PKA tools, I could give you, and only you, shell access to a server of mine by trading information in this thread, publicly. You would create a key pair on your machine. One key is public, the other, private. You post the public key in the thread. I create an account that authorizes the ssh(1) client that uses that public key (matched mathematically to the private half you keep private), and give you the domain name or IP address of the server. No passwords are shared. Nothing passed between us in private. That public key is tied to your private key, which you keep. Only someone with that private key-half is authorized to use the account, as the authentication is two-way, requiring mathematical proof you have the private key.I also use s/key, for times where I do not have a private key available -- public computers, other people's computers, whatever. I do not fear keyloggers, even in public settings, because each login requires a unique passphrase. It's a one-time-use pad. I won't type anything private while on them, while logged in, for fear of those keyloggers. But the login? No worries. |
|
|||
Quote:
Quote:
Would you recommend PF for a Snort box? I am using my openBSD install as a Snort sensor. I see the current package of snort 2.8.6 on my openBSD 4.9 install is about to be end-of-lifed. Not sure when the packages will be updated. If you guys think a different OS would better, let me know. OpenBSD is a steep learning curve but I am trying. I like the fact that openBSD is secure. |
|
||||
That's what I use. Just don't try to add special characters. Since I don't use hosts.allow, don't have time to try to recreate your problem in a lab, and don't have access to your files, I don't know if you've uncovered a bug or if you've done this to yourself.
Quote:
Quote:
Quote:
Quote:
There is an individual who maintains this port. You could either ask on the ports@ mailing list, or Email the maintainer with the question. Here's a link to the snort port's -current Makefile in the CVS repository, where you can pull the name and Email address: http://www.openbsd.org/cgi-bin/cvsweb/~checkout~/ports/net/snort/Makefile?rev=1.62;content-type=text%2Fplain |
|
||||
Oh, yes, just to clarify on when packages in general are updated. Not snort specifically, but all 3rd party packages.
The ports tree is synced to the flavor of OpenBSD you are using. If you use -release, that is twice per year. Updates to existing ports may occur if deemed warranted, in the -stable branch, following the same general limitations as -stable patches to the OS. No library changes, etc. Packages built from -stable ports may or may not be made available, as resources allow. Ports development follows the same cycle of development as the OS. The -current ports tree gets continuous development for approximately 4 months, then is frozen while a -release is prepared. "Snapshot packages" are built from time to time on the major architectures for the convenience of -current users, who may be able to use them if libraries are in sync. See FAQ 5.1 for a discussion of the flavors of OpenBSD and the development cycle. |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
I need a list of websites that my isp deny | undercoverdaememon | Off-Topic | 5 | 14th April 2010 04:01 AM |
LLVM milestone reached - Clang compiler self-hosts | J65nko | News | 0 | 5th February 2010 03:48 PM |
Discovering SSH versions of compromised hosts with nc(1) | J65nko | General software and network | 1 | 31st December 2009 11:01 AM |