From what I remember hosts.allow and hosts.deny only work with services that use TCP Wrappers. 
You can use the ldd commmand to determine if libwrap is compiled into a daemon:
sudo ldd /usr/sbin/sshd| grep wrap

For me ssh has libwrap complied in so I could use either iptables or /etc/hosts.deny to block access.

-- JD Austin
Voice: 480.269.4335 (480 2MY Geek)
jd@twingeckos.com


On Wed, Oct 15, 2014 at 2:05 PM, <techlists@phpcoderusa.com> wrote:


I use IPTable to protect ssh.  Should I be using hosts.allow instead?  How does host.allow differ from using IPTables to deny all IP's to a specific port except for the IP's you want to give access?

Keith



On 2014-10-15 15:52, jill wrote:
I would point out that fail2ban is a script that scours auth.log (as
root) for failed authentications, parses out the source host field,
then runs iptables (as root) to add rules for that host.  Especially
in light of things like shell shock, think what an attacker could do
with a crafted packet that caused that log line to include malicious
commands in the host field.  You're better off properly hardening sshd
itself.

White list in hosts.allow client ips/domains you will be connecting
from and block all others if at all possible.
Set your sshd_config to:
Never ever allow root login.  Ever.
Whitelist explicitly what users/groups can connect on ssh.
Disable password-based auth and use keys, protect the heck out of your
private key.

-Jill


On 2014-10-15 17:10, Stephen M wrote:
I am trying to learn about ssh and remoting into a computer from out of my
house.  I have all the ability to do this but I want to make sure my
desktop is secured.  I will basically be either using resources on my
desktop or backing up files to my laptop.

From what I have read.  denyhosts and fail2ban are the same, the only
difference is fail2ban requires more maintenance and has more options.  If
I am just trying to turn my desktop into a file server whats the best
option here?

--
Stephen Melheim
602-400-7707
SMelheim85@gmail.com
---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss


---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss
---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss