From what I remember hosts.allow and hosts.deny only work with services
that use TCP Wrappers.
You can use the ldd commmand to determine if libwrap is compiled into a
daemon:
sudo ldd /usr/sbin/sshd| grep wrap
For me ssh has libwrap complied in so I could use either iptables or
/etc/hosts.deny to block access.
-- JD Austin
Voice: 480.269.4335 (480 2MY Geek)
jd@twingeckos.com
On Wed, Oct 15, 2014 at 2:05 PM, <
techlists@phpcoderusa.com> wrote:
>
>
> I use IPTable to protect ssh. Should I be using hosts.allow instead? How
> does host.allow differ from using IPTables to deny all IP's to a specific
> port except for the IP's you want to give access?
>
> Keith
>
>
>
> On 2014-10-15 15:52, jill wrote:
>
>> I would point out that fail2ban is a script that scours auth.log (as
>> root) for failed authentications, parses out the source host field,
>> then runs iptables (as root) to add rules for that host. Especially
>> in light of things like shell shock, think what an attacker could do
>> with a crafted packet that caused that log line to include malicious
>> commands in the host field. You're better off properly hardening sshd
>> itself.
>>
>> White list in hosts.allow client ips/domains you will be connecting
>> from and block all others if at all possible.
>> Set your sshd_config to:
>> Never ever allow root login. Ever.
>> Whitelist explicitly what users/groups can connect on ssh.
>> Disable password-based auth and use keys, protect the heck out of your
>> private key.
>>
>> -Jill
>>
>>
>> On 2014-10-15 17:10, Stephen M wrote:
>>
>>> I am trying to learn about ssh and remoting into a computer from out of
>>> my
>>> house. I have all the ability to do this but I want to make sure my
>>> desktop is secured. I will basically be either using resources on my
>>> desktop or backing up files to my laptop.
>>>
>>> From what I have read. denyhosts and fail2ban are the same, the only
>>> difference is fail2ban requires more maintenance and has more options.
>>> If
>>> I am just trying to turn my desktop into a file server whats the best
>>> option here?
>>>
>>> --
>>> Stephen Melheim
>>> 602-400-7707
>>> SMelheim85@gmail.com
>>> ---------------------------------------------------
>>> PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
>>> To subscribe, unsubscribe, or to change your mail settings:
>>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>>
>>
>>
>> ---------------------------------------------------
>> PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
>> To subscribe, unsubscribe, or to change your mail settings:
>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>
---------------------------------------------------
PLUG-discuss mailing list -
PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss
(text/plain)