From owner-freebsd-questions@FreeBSD.ORG Sun Mar 19 01:48:34 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 91FD716A420 for ; Sun, 19 Mar 2006 01:48:34 +0000 (UTC) (envelope-from chris@chrismaness.com) Received: from ylpvm15.prodigy.net (ylpvm15-ext.prodigy.net [207.115.57.46]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1D8F243D45 for ; Sun, 19 Mar 2006 01:48:34 +0000 (GMT) (envelope-from chris@chrismaness.com) Received: from pimout5-ext.prodigy.net (pimout5-int.prodigy.net [207.115.4.21]) by ylpvm15.prodigy.net (8.12.10 outbound/8.12.10) with ESMTP id k2J1maYA003720 for ; Sat, 18 Mar 2006 20:48:36 -0500 X-ORBL: [69.108.92.143] Received: from [127.0.0.1] (adsl-69-108-92-143.dsl.irvnca.pacbell.net [69.108.92.143]) by pimout5-ext.prodigy.net (8.13.4 outbound domainkey aix/8.13.4) with ESMTP id k2J1mQB7264908; Sat, 18 Mar 2006 20:48:32 -0500 Message-ID: <441CB86D.9080806@chrismaness.com> Date: Sat, 18 Mar 2006 17:48:29 -0800 From: Chris Maness User-Agent: Thunderbird 1.5 (Windows/20051201) MIME-Version: 1.0 To: Kris Kennaway References: <441CA1F9.20301@chrismaness.com> <20060319004947.GA65074@xor.obsecurity.org> <441CB2D8.3090707@chrismaness.com> <20060319013253.GA65688@xor.obsecurity.org> In-Reply-To: <20060319013253.GA65688@xor.obsecurity.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org Subject: Re: hosts.allow ? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Mar 2006 01:48:34 -0000 Kris Kennaway wrote: > On Sat, Mar 18, 2006 at 05:24:40PM -0800, Chris Maness wrote: > >> Kris Kennaway wrote: >> >>> On Sat, Mar 18, 2006 at 04:12:41PM -0800, Chris Maness wrote: >>> >>> >>>> My denyhost script is doing it's job by adding: >>>> >>>> sshd: 62.149.232.105 : deny >>>> >>>> to the hosts.allow file, but I see that this host is still making >>>> attempts to get into my box. >>>> >>>> >>> Where do you see this (i.e. logged by what)? hosts.allow doesn't >>> block the IP from connecting to the port, it blocks the application >>> that listens on the port from allowing this IP to authenticate. >>> e.g. your firewall may still log the connection. >>> >>> >>> >> p.s. I tried a test from another one of my host by adding a line just >> like the one above and it still allows me to login. >> > > Sounds like something else is wrong with your hosts.allow then. > > Kris > > I tried running sshd off of inetd instead of in daemon mode. It still didn't work. here is the file: # # hosts.allow access control file for "tcp wrapped" applications. # $FreeBSD: src/etc/hosts.allow,v 1.19 2004/08/03 08:58:34 ume Exp $ # # NOTE: The hosts.deny file is deprecated. # Place both 'allow' and 'deny' rules in the hosts.allow file. # See hosts_options(5) for the format of this file. # hosts_access(5) no longer fully applies. # _____ _ _ # | ____| __ __ __ _ _ __ ___ _ __ | | ___ | | # | _| \ \/ / / _` | | '_ ` _ \ | '_ \ | | / _ \ | | # | |___ > < | (_| | | | | | | | | |_) | | | | __/ |_| # |_____| /_/\_\ \__,_| |_| |_| |_| | .__/ |_| \___| (_) # |_| # !!! This is an example! You will need to modify it for your specific # !!! requirements! # Start by allowing everything (this prevents the rest of the file # from working, so remove it when you need protection). # The rules here work on a "First match wins" basis. ALL : ALL : allow # Wrapping sshd(8) is not normally a good idea, but if you # need to do it, here's how #sshd : .evil.cracker.example.com : deny # Protect against simple DNS spoofing attacks by checking that the # forward and reverse records for the remote host match. If a mismatch # occurs, access is denied, and any positive ident response within # 20 seconds is logged. No protection is afforded against DNS poisoning, # IP spoofing or more complicated attacks. Hosts with no reverse DNS # pass this rule. ALL : PARANOID : RFC931 20 : deny # Allow anything from localhost. Note that an IP address (not a host # name) *MUST* be specified for rpcbind(8). ALL : localhost 127.0.0.1 [::1] : allow ALL : my.machine.example.com 192.0.2.35 : allow # To use IPv6 addresses you must enclose them in []'s ALL : [fe80::%fxp0]/10 : allow ALL : [fe80::]/10 : deny ALL : [2001:db8:2:1:2:3:4:3fe1] : deny ALL : [2001:db8:2:1::]/64 : allow # Sendmail can help protect you against spammers and relay-rapers sendmail : localhost : allow sendmail : .nice.guy.example.com : allow sendmail : .evil.cracker.example.com : deny sendmail : ALL : allow # Exim is an alternative to sendmail, available in the ports tree exim : localhost : allow exim : .nice.guy.example.com : allow exim : .evil.cracker.example.com : deny exim : ALL : allow # Rpcbind is used for all RPC services; protect your NFS! # (IP addresses rather than hostnames *MUST* be used here) rpcbind : 192.0.2.32/255.255.255.224 : allow rpcbind : 192.0.2.96/255.255.255.224 : allow rpcbind : ALL : deny # NIS master server. Only local nets should have access ypserv : localhost : allow ypserv : .unsafe.my.net.example.com : deny ypserv : .my.net.example.com : allow ypserv : ALL : deny # Provide a small amount of protection for ftpd ftpd : localhost : allow ftpd : .nice.guy.example.com : allow ftpd : .evil.cracker.example.com : deny ftpd : ALL : allow # You need to be clever with finger; do _not_ backfinger!! You can easily # start a "finger war". fingerd : ALL \ : spawn (echo Finger. | \ /usr/bin/mail -s "tcpd\: %u@%h[%a] fingered me!" root) & \ : deny # The rest of the daemons are protected. ALL : ALL \ : severity auth.info \ : twist /bin/echo "You are not welcome to use %d from %h." sshd: 131.113.74.44 : deny sshd: 219.235.52.5 : deny sshd: 211.215.16.60 : deny sshd: 211.144.8.211 : deny sshd: 62.149.232.105 : deny sshd: 208.179.97.3 : deny ftpd : 208.179.97.3 : deny