SSH hosts.deny and hosts.allow

Question

I have this content in hosts.deny (with a new line at the end):

#
# hosts.deny    This file describes the names of the hosts which are
#       *not* allowed to use the local INET services, as decided
#       by the '/usr/sbin/tcpd' server.
#
# The portmap line is redundant, but it is left to remind you that
# the new secure portmap uses hosts.deny and hosts.allow.  In particular
# you should know that NFS uses portmap!

sshd : ALL

And this in hosts.allow:

#
# hosts.allow   This file describes the names of the hosts which are
#       allowed to use the local INET services, as decided
#       by the '/usr/sbin/tcpd' server.
#

sshd: our.ip.add.ress: allow

Then, we executed this piece of code to restart SSH:

/etc/init.d/sshd restart

And again, here is a new line at the end. But, we can still reach the SSH service from another server and attempt to login. What are we doing wrong?

Are you *able* to login?You should get a message ssh_exchange_identification: Connection closed by remote host — Sergei, Dec 31 '11 at 12:02

score 3 · Answer 1 · answered Dec 31 '11 at 12:02

3

Your /etc/hosts.deny, I think you have a syntax error. There shouldn't be be a space between "sshd" and the colon. So, it should read:

sshd: ALL

On the "allow" side, I have lines like:

sshd: 192.168.1.1

There's no trailing text after the IP address.

answered Dec 31 '11 at 12:02

cjc

24,916
3
51
70

I thought this at first, but the `hosts_access(5)` man page gives an example of `daemon_list : client_list [ : shell_command ]`. – James O'Gorman Dec 31 '11 at 12:04
Hmm. Yes, I see that. Interestingly, when they give actual examples, they don't have the space between the daemon and the colon. – cjc Dec 31 '11 at 12:07

score 3 · Answer 2 · answered Dec 31 '11 at 12:03

You don't need the : allow in hosts.allow. It should just look like this:

sshd: 192.168.2.200

If you have console access you can try blocking everything that uses tcpwrappers in case it's an issue with the service name:

hosts.deny:

ALL: ALL

hosts.allow:

ALL: 192.168.2.200

score 2 · Answer 3 · edited Apr 13 '17 at 12:37

2

Is it worth checking to see that support for tcp-wrappers was actually compiled into the sshd you're using?

It needs to have been compiled with either of the --with-libwrap or --with-tcp-wrappers options, according the o'reilly snail book.

(I'm not certain if most distros enable this by default, or what the default compile time option is for open ssh).

I checked mine just now by doing:

ldd /usr/sbin/sshd | egrep 'wrap'

which indicated

libwrap.so.0 => /lib64/libwrap.so.0 (0x00002ba50fa9c000)

(h/t to this Stack Exchange question)

edited Apr 13 '17 at 12:37

Community

1

answered Jan 01 '12 at 01:03

sapeurfaire

475
2
6

For what it helps, as of openssh 6.7 support for tcpwrappers/libwrap has been removed. – David Ramirez Aug 18 '17 at 21:10

SSH hosts.deny and hosts.allow

3 Answers3

Linked