How to permit selective SSH access?

On Thu, 03 Jun 2004 10:00:48 -0700, Reply-Via-Newsgroup Thanks scribbled:

> Folks,
>
> I have tried reading the 'man' page on ssh and attempted to configure
>
> /etc/ssh/hosts.equiv
> .shosts
>
> to only permit access to the server from a select number of IP addresses
> however it doesn't work (meaning access is permitted from all IP
> addresses regardless of origin).
>
> I just placed the IP addresses in the above files - Can someone provide
> me with some examples or suggest where I am going wrong?
>
> Please reply via the newsgroup so all can learn,
>
> Thanks in advance,
> Randell D.

Randell,

There's a set of files, called hosts.allow and hosts.deny in the /etc
directory that govern access from the outside world to services on your
server.

The best policy for those files is to deny access to everyone and allow
access to restricted ip's. To do that, add a line to hosts.deny like:

ALL: ALL

This means that all services are denied from everyone. (hey, that's
excactly what we wanted! ;)

Then, in the hosts.allow file add lines to allow certain types of access to
specified ip's:

ALL: localhost
ALL: myn.et.wo.rk/255.255.255.0

service1: all.owe.dip.no1
service2: all.owe.dip.no1

etcetera, ymmv

the general syntax of these lines is:

daemon_list : client_list [ : shell_command ]

where:
daemon_list is a list of one or more daemon process names (argv[0] values)
or wildcards (see below).

client_list is a list of one or more host names, host addresses, patterns
or wildcards (see below) that will be matched against the client host name
or address.

As you can see, you can also add a shell-command to be able to do all kinds
of things in case of access, for example log access (attempts).

HTH


--
GerardLinux ay tee filternet dee oo tee ann el

ACHTUNG!!
Das machinen is nicht fur gefingerpoken und mittengrabben. Ist easy
schnappen der spingenwerk, blowenfusen und corkenpoppen mit spitzensparken.
Ist nicht fur gewerken by das dummkopfen. Das rubbernecken sightseeren
keepen handen in das pockets. Relaxen und vatch das blinkenlights!!!

On Thu, 03 Jun 2004 10:00:48 -0700, Reply-Via-Newsgroup Thanks scribbled:

> Folks,
>
> I have tried reading the 'man' page on ssh and attempted to configure
>
> /etc/ssh/hosts.equiv
> .shosts
>
> to only permit access to the server from a select number of IP addresses
> however it doesn't work (meaning access is permitted from all IP
> addresses regardless of origin).
>
> I just placed the IP addresses in the above files - Can someone provide
> me with some examples or suggest where I am going wrong?
>
> Please reply via the newsgroup so all can learn,
>
> Thanks in advance,
> Randell D.

Oops, I forgot to mention the web-page I used to obtain this info:

http://linux.about.com/library/cmd/b...osts.allow.htm

Have fun!

--
GerardLinux ay tee filternet dee oo tee ann el

ACHTUNG!!
Das machinen is nicht fur gefingerpoken und mittengrabben. Ist easy
schnappen der spingenwerk, blowenfusen und corkenpoppen mit spitzensparken.
Ist nicht fur gewerken by das dummkopfen. Das rubbernecken sightseeren
keepen handen in das pockets. Relaxen und vatch das blinkenlights!!!

On Thu, 03 Jun 2004 12:00:48 -0500, Reply-Via-Newsgroup Thanks created an
award-winning crop circle <c9mpcu$aau$1$8300dec7@news.demon.co.uk>, which
when translated into English means this:


> Folks,
>
> I have tried reading the 'man' page on ssh and attempted to configure
>
> /etc/ssh/hosts.equiv

You mean /etc/ssh/shosts.equiv
^

Gerard <DontWant@SP_aM.nl> writes:

[snip]
> There's a set of files, called hosts.allow and hosts.deny in the /etc
> directory that govern access from the outside world to services on your
> server.

A minor note: they are config files for tcp-wrappers; if a service is
linked against libwrap, it will appear to use hosts.{allow,deny}, otherwise
they'll have no effect.

Hence making sure sshd is built to use them would be wise:

| zsh/scr7, potato 11:33AM piglet/ % ldd /usr/sbin/sshd
[snip]
| libwrap.so.0 => /lib/libwrap.so.0 (0x4ed71000)

HTH,

~Tim
--
Now the cars come like rivers |piglet@stirfried.vegetable.org.uk
Night comes like madness |http://pig.sty.nu/about.html
Songs come like trains |

Reply-Via-Newsgroup Thanks wrote:
>
> Folks,
>
> I have tried reading the 'man' page on ssh and attempted to configure
>
> /etc/ssh/hosts.equiv
> .shosts
>
> to only permit access to the server from a select number of IP addresses
> however it doesn't work (meaning access is permitted from all IP
> addresses regardless of origin).
>
> I just placed the IP addresses in the above files - Can someone provide
> me with some examples or suggest where I am going wrong?
>
> Please reply via the newsgroup so all can learn,
>
> Thanks in advance,
> Randell D.

I do it with iptables.

I have iptables set up to deny access from anyone to anything.

Then I selectively allow those IP addresses I care about to connect to
those ports I want.

So for ssh, I have entries like:

# For sshd daemon.
for sip in $[list of good guys for ssh]; do
$IPT -A IN_FIREWALL -p tcp -m state --state NEW \
-s $sip --dport ssh -j ACCEPT
done


--
.~. Jean-David Beyer Registered Linux User 85642.
/V\ Registered Machine 241939.
/( )\ Shrewsbury, New Jersey http://counter.li.org
^^-^^ 07:25:00 up 2 days, 16:24, 5 users, load average: 2.05, 2.09, 2.08

On Thu, 03 Jun 2004 04:52:07 -0500, Gerard created an award-winning crop
circle <pqwdme8k5goo.1o43c2qqn2eg7$.dlg@40tude.net>, which when translated
into English means this:

> [...]
> There's a set of files, called hosts.allow and hosts.deny in the /etc
> directory that govern access from the outside world to services on your
> server.
> [...]

I thought that /etc/hosts.allow and /etc/hosts.deny are only used
by /usr/sbin/tcpd.

Unless sshd is started by tcpd, those hosts files probably don't matter.

On Thu, 03 Jun 2004 04:53:21 -0500, Gerard created an award-winning crop
circle <1lanhb8zn8xpd$.3ahfs2jawd90$.dlg@40tude.net>, which when
translated into English means this:

>
> Oops, I forgot to mention the web-page I used to obtain this info:
>
> http://linux.about.com/library/cmd/b...osts.allow.htm

man 5 hosts_access
man tcpd

>
> Have fun!

I'll try :)

Gary Petersen <garyp1492.giggly+news@wiggly.earthlink.above.ne t> writes:

> On Thu, 03 Jun 2004 04:52:07 -0500, Gerard created an award-winning crop
> circle <pqwdme8k5goo.1o43c2qqn2eg7$.dlg@40tude.net>, which when translated
> into English means this:
>
>> [...]
>> There's a set of files, called hosts.allow and hosts.deny in the /etc
>> directory that govern access from the outside world to services on your
>> server.
>> [...]
>
> I thought that /etc/hosts.allow and /etc/hosts.deny are only used
> by /usr/sbin/tcpd.
>
> Unless sshd is started by tcpd, those hosts files probably don't matter.

No. They're used by libwrap, which tends to be linked directly into daemons
these days at configure-time, while I remember tcpd as more of an inetd
thing.

Oh, and portmapper uses them too.

~Tim
--
There's a lighthouse, Shining in the black, |piglet@stirfried.vegetable.org.uk
A lighthouse, Standing in the dark |http://pig.sty.nu/Pictures/

On Thu, 3 Jun 2004 11:52:07 +0200, Gerard scribbled:

> On Thu, 03 Jun 2004 10:00:48 -0700, Reply-Via-Newsgroup Thanks scribbled:
>
>> Folks,
>>
>> I have tried reading the 'man' page on ssh and attempted to configure
>>
>> /etc/ssh/hosts.equiv
>> .shosts
>>
>> to only permit access to the server from a select number of IP addresses
>> however it doesn't work (meaning access is permitted from all IP
>> addresses regardless of origin).
>>
>> I just placed the IP addresses in the above files - Can someone provide
>> me with some examples or suggest where I am going wrong?
>>
>> Please reply via the newsgroup so all can learn,
>>
>> Thanks in advance,
>> Randell D.
>
> Randell,
>
> There's a set of files, called hosts.allow and hosts.deny in the /etc
> directory that govern access from the outside world to services on your
> server.
>
> The best policy for those files is to deny access to everyone and allow
> access to restricted ip's. To do that, add a line to hosts.deny like:
>
> ALL: ALL
>
> This means that all services are denied from everyone. (hey, that's
> excactly what we wanted! ;)
>
> Then, in the hosts.allow file add lines to allow certain types of access to
> specified ip's:
>
> ALL: localhost
> ALL: myn.et.wo.rk/255.255.255.0
>
> service1: all.owe.dip.no1
> service2: all.owe.dip.no1
>
> etcetera, ymmv
>
> the general syntax of these lines is:
>
> daemon_list : client_list [ : shell_command ]
>
> where:
> daemon_list is a list of one or more daemon process names (argv[0] values)
> or wildcards (see below).
>
> client_list is a list of one or more host names, host addresses, patterns
> or wildcards (see below) that will be matched against the client host name
> or address.
>
> As you can see, you can also add a shell-command to be able to do all kinds
> of things in case of access, for example log access (attempts).
>
> HTH

Oh, well, AAMOF I forgot to mention that thsi worked in the way I described
in a fairly standard (as in: I didn't fumble around with it too much)
Redhat distribution.

cu

--
GerardLinux ay tee filternet dee oo tee ann el

ACHTUNG!!
Das machinen is nicht fur gefingerpoken und mittengrabben. Ist easy
schnappen der spingenwerk, blowenfusen und corkenpoppen mit spitzensparken.
Ist nicht fur gewerken by das dummkopfen. Das rubbernecken sightseeren
keepen handen in das pockets. Relaxen und vatch das blinkenlights!!!

On Thu, 03 Jun 2004 07:30:31 -0400, Jean-David Beyer scribbled:

> Reply-Via-Newsgroup Thanks wrote:
>>
>> Folks,
>>
>> I have tried reading the 'man' page on ssh and attempted to configure
>>
>> /etc/ssh/hosts.equiv
>> .shosts
>>
>> to only permit access to the server from a select number of IP addresses
>> however it doesn't work (meaning access is permitted from all IP
>> addresses regardless of origin).
>>
>> I just placed the IP addresses in the above files - Can someone provide
>> me with some examples or suggest where I am going wrong?
>>
>> Please reply via the newsgroup so all can learn,
>>
>> Thanks in advance,
>> Randell D.
>
> I do it with iptables.
>
> I have iptables set up to deny access from anyone to anything.
>
> Then I selectively allow those IP addresses I care about to connect to
> those ports I want.
>
> So for ssh, I have entries like:
>
> # For sshd daemon.
> for sip in $[list of good guys for ssh]; do
> $IPT -A IN_FIREWALL -p tcp -m state --state NEW \
> -s $sip --dport ssh -j ACCEPT
> done

I'd like to second this method. It seems to me that it's safer and more
likely to work, independent of tcpd, libwrapper or whatever. You tackle the
problem right at entry time.

Think I'll reconfigure mine like this also...

Tnx 4 the input.

--
GerardLinux ay tee filternet dee oo tee ann el

ACHTUNG!!
Das machinen is nicht fur gefingerpoken und mittengrabben. Ist easy
schnappen der spingenwerk, blowenfusen und corkenpoppen mit spitzensparken.
Ist nicht fur gewerken by das dummkopfen. Das rubbernecken sightseeren
keepen handen in das pockets. Relaxen und vatch das blinkenlights!!!