[PLUG] denyhosts not blocking some ssh attempts
Quentin Hartman
qhartman at gmail.com
Fri Jan 16 17:44:56 UTC 2009
On Tue, Jan 13, 2009 at 6:24 AM, Rich Shepard <rshepard at appl-ecosys.com> wrote:
> Allowing only a limited number of user names to connect via ssh works for
> us because there are fewer than a handful of names.
(bit of an aside here...)
If all your legitimate users are allowed to SSH in, what's the point
of specifically allowing users? All other names will be invalid and
login will fail regardless of whether or not they are allowed. If you
create users that have valid shells configured for ftp access or
whatever else, then it becomes something to worry about. I've seen a
lot of people setup SSH allowed-users lists for no good reason. One
good reason would be to allow root to login, but only from certain
IPs. So adding "root at 10.0.0.1". Another good thing to do with this if
you need remote root access is to set "allowrootlogin =
without-password". That somewhat un-intuitively makes it so that root
can login only with authentication mechanisms _other than_ password,
ie - public keys. The net result of those two settings makes it so
that root can only login using a key file from a certain IP. Very
useful, and still secure enough for most purposes.
> For my edification, is
> it impractical to maintain /etc/hosts.allow when there are many users on the
> network?
The number of users doesn't matter so much as the number of IP's they
will be coming from. If you have a known subset of IP's from which all
legitimate access will originate, hosts.allow with an implicit deny
makes sense. If not, it's likely to become a management headache. Or
an "I'm at the pub and they have wifi and my laptop is in the car, but
I can't login and fix this random problem that I just got paged on
here because of my implicit deny rule so I have to go home/to the
office to fix it anyway and now my friday night is totally disrupted
because I didn't really think that through." sort of headache. :D
> Second question that comes from this discussion is the relative advantages
> of hosts.allow and hosts.deny. It would be nice to have someone clarify the
> differences for me.
In a nutshell, IPs in .deny are not allowed to connect, IPs in .allow
are. That is grossly oversimplified though.
The googley-bear has a ton of info on this, as do the man pages. Do a
search for "hosts.deny hosts.allow" and you'll come up with lots
interesting stuff. A "man hosts.deny" or "man hosts.allow" gives
useful stuff too.
-QH-
More information about the PLUG
mailing list