Welcome to the MacNN Forums.

mmurray · Mar 23, 2005, 01:55 AM

Hi

How can I stop ssh connections from a certain IP range ? A quick google suggests using commands like AllowHosts and DenyHosts in my /etc/sshd_config. But they don't seem to work. If I put them in ssh stops connecting at all and inspection of /var/log/system.log indicates that I have a bad configuration option:

sshd[3236]: error: /etc/sshd_config: line 98: Bad configuration option: AllowHosts

Looking in man sshd_config there is no entry for AllowHosts.

AllowUsers and DenyUsers works as in

sshd[3105]: User root not allowed because listed in DenyUsers

Thanks - Michael

[APi]TheMan · 02:08 PM

Originally posted by mmurray:
Hi

How can I stop ssh connections from a certain IP range ? A quick google suggests using commands like AllowHosts and DenyHosts in my /etc/sshd_config. But they don't seem to work. If I put them in ssh stops connecting at all and inspection of /var/log/system.log indicates that I have a bad configuration option:

sshd[3236]: error: /etc/sshd_config: line 98: Bad configuration option: AllowHosts

Looking in man sshd_config there is no entry for AllowHosts.

I'm guessing that your research was referring to something called TCP wrappers, these are implemented through /etc/hosts.allow and /etc/hosts.deny. I'm no good with subnetting and ranges of IPs, but you can enter a line like this in your deny file to deny hosts from 123.456.x.x for just SSH:

Code:
taco:~ root# cat /etc/hosts.deny 
sshd: 123.456.

Services compiled against TCP Wrappers check these files before allowing or denying service to incoming (or outgoing) hosts. Then you'd see an entry in your system's log like this (from my Linux server):

Code:
Mar 23 11:51:06 taco xinetd[19769]: libwrap refused connection to ssh (libwrap=sshd) from 123.456.111.111

The service denying the connection is actually xinetd in this case, because it is the "super server" that handles connections for the ssh daemon, handing the connection off once its ready to go (and if it's a legit host).

There's a little more about TCP wrappers here [about.com]

Maybe someone else can help you with a more advanced deny command...

mmurray · Mar 23, 2005, 02:49 PM

Thanks [APi]TheMan. I also discovered in man sshd_config that you can put IP's in the DenyUsers and AllowUsers. By using wildcards like

DenyUsers *@fred.com

you can block anyone from fred.com (I think !)

Michael

galarneau · Mar 23, 2005, 07:42 PM

I run an OpenBSD server that was barraged with hundreds of ssh login attempts.

Once I switched the SSH port from 22 to something else, the number of attempted logins dropped to ZERO.

It won't keep someone from port scanning you to find out what ports ARE open, but most of the automated hack-in attempts I've had directed against me just assume port 22.

I guess port scanning every single IP address on the internet just takes too damn long.

mmurray · Mar 23, 2005, 08:21 PM

Originally posted by galarneau:
I run an OpenBSD server that was barraged with hundreds of ssh login attempts.

Once I switched the SSH port from 22 to something else, the number of attempted logins dropped to ZERO.

It won't keep someone from port scanning you to find out what ports ARE open, but most of the automated hack-in attempts I've had directed against me just assume port 22.

I guess port scanning every single IP address on the internet just takes too damn long.

Good thought - is there are sensible range to choose from ?

Thanks -Michael

[APi]TheMan · Mar 23, 2005, 10:54 PM

Originally posted by mmurray:
Good thought - is there are sensible range to choose from ?

Thanks -Michael

Range of ports? As long as you pick something that isn't already being used by another service on your system, you could pick any port from 1 - 65 536.

Also, on my servers I've installed portsentry [sourceforge.net], it basically opens several ports on the server so that people will THINK something is running, and try to exploit it. Portsentry is nice for detecting malicious traffic, ie, I have it listening on several runs of sequential IPs (to detect sweeping portscans) as well as known ports for trojans, rootkits, virii, etc. Once it detects connection attempts it will begin logging for that host, and after a specified amount of attempts it will add the host to the system's /etc/hosts.deny and optionally run a firewall rule to drop packets from that host.

My theory is that my servers run certain services for users, and any attempt to connect to a port other than the port offered by a running service will be deemed malicious.

galarneau · Mar 28, 2005, 01:34 AM

Originally posted by mmurray:
Good thought - is there are sensible range to choose from ?

Thanks -Michael

For a variety of reason, I use port 443, but you can pick just about any port up to 65535. I think the lower number ports (<1024) are deemed as privileged ports, and thus require root access.

I use 443 because the hospital I work at only allows data out via port 80 or 443, and since 443 is for SSL, my SSH connections out to my server are thus able to get through the filtering proxy server.

As an aside, I used to live in Adelaide... graduated with a degree in Medicine from Flinders Uni. Sometimes I miss the relaxed and slow lifestyle down under. Don't miss the higher Apple hardware prices, though.