Derek Ragona wrote:>> I tried to implement a similar scheme in my hosts.allow on a FreeBSD >> 5.2.1 server. But when I try to test it from an IP outside my LAN, it >> still allows ssh logins. I even put in a line in hosts.allow to >> explicitly deny the IP I was ssh'ing from, but it still let me in. >> The behavior gives the appearance that TCP wrappers are not enabled, >> and thus the /etc/hosts.allow file is ignored. >> >> Is there something I need to do to enable the wrappers in sshd? I saw >> that there is a compile option for the portable source from >> openssh.org, so I wonder if there is some compile option that needs to >> be enabled in make.conf? >> >> I have gone through the documentation for sshd_config, sshd, >> make.conf, etc. but am not finding anything to change. >> >> -Derek >> >> >> >> At 07:37 AM 9/19/2004, Terry wrote: >> > > >>>> I had the same problem so i setup up hosts.allow to only allow access >>>> from certain ips i require >>>> This has the affect of killing the connection from any other ip befor >>>> gettign to any login prompt >>>> example below >>>> sshd : localhost : allow >>>> sshd : 192.168.2. : allow >>>> sshd : 82.41.115.213 :allow >>>> sshd : 216.123.248.219 : allow <-- public ip i wish to allow of >>>> course i have changed it >>>> sshd : all : deny >>>> >>>> This then shows in log instead of failed login attempts >>>> >>>> dot.blah.co.uk refused connections: >>>> Sep 17 22:11:55 dlt sshd[35669]: refused connect from >>>> usen-219x113x213x21.ap-US.usen.ad.jp (219.113.213.21) >>>> >>>> Regards Terry >>>> >>>> >> >>I read some where the order is important have you tried exactly as i posted only changed ip's to fit your setup ? My freebsd version is 4.10 and i made no other changes i think tcp wrappers are default Terry
When you build openssh, you need to be sure to add the --with-tcp-wrappers argument when you run the configure script. ex: ./configure --with-ssl-dir=../openssl --with-pam --with-tcp-wrappers Hopefully this points you in the right direction. -chris On Fri, 24 Sep 2004, Terry wrote:> Derek Ragona wrote: > > > >> I tried to implement a similar scheme in my hosts.allow on a FreeBSD > >> 5.2.1 server. But when I try to test it from an IP outside my LAN, it > >> still allows ssh logins. I even put in a line in hosts.allow to > >> explicitly deny the IP I was ssh'ing from, but it still let me in. > >> The behavior gives the appearance that TCP wrappers are not enabled, > >> and thus the /etc/hosts.allow file is ignored. > >> > >> Is there something I need to do to enable the wrappers in sshd? I saw > >> that there is a compile option for the portable source from > >> openssh.org, so I wonder if there is some compile option that needs to > >> be enabled in make.conf? > >> > >> I have gone through the documentation for sshd_config, sshd, > >> make.conf, etc. but am not finding anything to change. > >> > >> -Derek > >> > >>
At 03:50 PM 9/24/2004, Terry wrote:>Derek Ragona wrote: > > >>>I tried to implement a similar scheme in my hosts.allow on a FreeBSD >>>5.2.1 server. But when I try to test it from an IP outside my LAN, it >>>still allows ssh logins. I even put in a line in hosts.allow to >>>explicitly deny the IP I was ssh'ing from, but it still let me in. >>>The behavior gives the appearance that TCP wrappers are not enabled, >>>and thus the /etc/hosts.allow file is ignored. >>> >>>Is there something I need to do to enable the wrappers in sshd? I saw >>>that there is a compile option for the portable source from openssh.org, >>>so I wonder if there is some compile option that needs to be enabled in >>>make.conf? >>>I have gone through the documentation for sshd_config, sshd, make.conf, >>>etc. but am not finding anything to change. >>> >>> -Derek >>> >>> >>> >>>At 07:37 AM 9/19/2004, Terry wrote: >> >> >>>>>I had the same problem so i setup up hosts.allow to only allow access >>>>>from certain ips i require >>>>>This has the affect of killing the connection from any other ip befor >>>>>gettign to any login prompt >>>>>example below >>>>>sshd : localhost : allow >>>>>sshd : 192.168.2. : allow >>>>>sshd : 82.41.115.213 :allow >>>>>sshd : 216.123.248.219 : allow <-- public ip i wish to allow of >>>>>course i have changed it >>>>>sshd : all : deny >>>>> >>>>>This then shows in log instead of failed login attempts >>>>> >>>>>dot.blah.co.uk refused connections: >>>>>Sep 17 22:11:55 dlt sshd[35669]: refused connect from >>>>>usen-219x113x213x21.ap-US.usen.ad.jp (219.113.213.21) >>>>> >>>>>Regards Terry >>>>> >>> >I read some where the order is important have you tried exactly as i >posted only changed ip's to fit your setup ? >My freebsd version is 4.10 and i made no other changes i think tcp >wrappers are default >TerryTerry, I cut and pasted the lines as you had them, and just changed the IP's. I had one less line originally where your public address line is, then added a line to explicitly deny the one address I was testing from. I do have a 4.10 server I will try this on as well. Thanks for the reply. -Derek>_______________________________________________ >freebsd-security@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-security >To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
At 04:54 PM 9/24/2004, Alex de Kruijff wrote:>On Fri, Sep 24, 2004 at 04:03:04PM -0500, Chris Orr wrote: > > When you build openssh, you need to be sure to add the --with-tcp-wrappers > > argument when you run the configure script. > > > > ex: ./configure --with-ssl-dir=../openssl --with-pam --with-tcp-wrappers > > > > Hopefully this points you in the right direction. > > > > -chris > >This is a bit unsual for FreeBSD. If the default with the base system >doesn't fith you, the you can use the port system to comile a newer >version. cd /usr/porst/.../ssh && make install && make clean > >-- >AlexI guess I am asking are the tcp wrappers enabled in the default base system? If the wrappers are not enabled, do I need to build world with some special compile option? Or build ssh from the port? If the port is used do I then need to reconfigure anything in the system to use the port version instead of the base system ssh? Thanks for your help. -Derek
On Fri, Sep 24, 2004 at 05:09:05PM -0500, Derek Ragona wrote:> I guess I am asking are the tcp wrappers enabled in the default base > system? If the wrappers are not enabled, do I need to build world with > some special compile option?Look at /usr/src/secure/usr.sbin/sshd/Makefile where it says: LDADD+= -lssh -lcrypt -lcrypto -lutil -lz -lwrap ${MINUSLPAM} ^^^^^ Conclusion: tcp-wrappers are enabled by default in the sshd(8) built by the base system. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20040925/d0d35328/attachment.bin