fail2ban VS. denyhost

JD Austin jd at twingeckos.com
Wed Oct 15 14:50:26 MST 2014 

>From what I remember hosts.allow and hosts.deny only work with services
that use TCP Wrappers.
You can use the ldd commmand to determine if libwrap is compiled into a
daemon:
sudo ldd /usr/sbin/sshd| grep wrap

For me ssh has libwrap complied in so I could use either iptables or
/etc/hosts.deny to block access.

-- JD Austin
Voice: 480.269.4335 (480 2MY Geek)
jd at twingeckos.com


On Wed, Oct 15, 2014 at 2:05 PM, <techlists at phpcoderusa.com> wrote:

>
>
> I use IPTable to protect ssh.  Should I be using hosts.allow instead?  How
> does host.allow differ from using IPTables to deny all IP's to a specific
> port except for the IP's you want to give access?
>
> Keith
>
>
>
> On 2014-10-15 15:52, jill wrote:
>
>> I would point out that fail2ban is a script that scours auth.log (as
>> root) for failed authentications, parses out the source host field,
>> then runs iptables (as root) to add rules for that host.  Especially
>> in light of things like shell shock, think what an attacker could do
>> with a crafted packet that caused that log line to include malicious
>> commands in the host field.  You're better off properly hardening sshd
>> itself.
>>
>> White list in hosts.allow client ips/domains you will be connecting
>> from and block all others if at all possible.
>> Set your sshd_config to:
>> Never ever allow root login.  Ever.
>> Whitelist explicitly what users/groups can connect on ssh.
>> Disable password-based auth and use keys, protect the heck out of your
>> private key.
>>
>> -Jill
>>
>>
>> On 2014-10-15 17:10, Stephen M wrote:
>>
>>> I am trying to learn about ssh and remoting into a computer from out of
>>> my
>>> house.  I have all the ability to do this but I want to make sure my
>>> desktop is secured.  I will basically be either using resources on my
>>> desktop or backing up files to my laptop.
>>>
>>> From what I have read.  denyhosts and fail2ban are the same, the only
>>> difference is fail2ban requires more maintenance and has more options.
>>> If
>>> I am just trying to turn my desktop into a file server whats the best
>>> option here?
>>>
>>> --
>>> Stephen Melheim
>>> 602-400-7707
>>> SMelheim85 at gmail.com
>>> ---------------------------------------------------
>>> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
>>> To subscribe, unsubscribe, or to change your mail settings:
>>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>>
>>
>>
>> ---------------------------------------------------
>> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
>> To subscribe, unsubscribe, or to change your mail settings:
>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.phxlinux.org/pipermail/plug-discuss/attachments/20141015/729ca916/attachment.html>

More information about the PLUG-discuss mailing list