hosts.allow and hosts.deny help

[PortDreams]

My FC5 box keeps getting hammered by what I assume is a dictionary attack.

Here is part of my secure log: <code>
--------------------- SSHD Begin ------------------------


Failed logins from:
216.75.41.2 (otorongo.servidorauri01.com): 388 times

Illegal users from:
216.75.41.2 (otorongo.servidorauri01.com): 1169 times

**Unmatched Entries**
pam_succeed_if(sshd:auth): error retrieving information about user bancadaanr : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user dperez : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user susan : 1 time(s) </code>

What I do is each day, I add the IP address from the "Failed logins" and "Unmatched Entries" into my hosts.deny (ALL: ip_address).

1. Is this the best way to do this?
2. Can you look at my hosts.allow and hosts.deny files and tell me if I have them setup correct? What I want is to deny everyone the SSHD, FTP services and only allow my computer and domain to use them.



Below are my files:
hosts.allow
<code>
# hosts.allow This file describes the names of the hosts which are
# allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#
ALL: laptop-it1
ALL: .mydomain.com
ALL: 10.9.5.43 </code>



hosts.deny
<code>
#
# hosts.deny This file describes the names of the hosts which are
# *not* allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#
# The portmap line is redundant, but it is left to remind you that
# the new secure portmap uses hosts.deny and hosts.allow. In particular
# you should know that NFS uses portmap!
ALL: 211.37.210.20
ALL: 210.64.111.3
ALL: 202.159.228.85
ALL: 210.21.24.13
ALL: 202.159.228.85
ALL: 221.224.3.78
ALL: .HINET.NET
ALL: 211.41.179.61
ALL: 217.21.126.22
ALL: 205.196.179.236
ALL: 211.137.44.113
ALL: 220.200.163.110
ALL: 211.33.40.5
ALL: 83.111.70.73
ALL: 210.192.102.22
ALL: 218.14.253.200
all: 64.219.97.248
ALL: SSHD
FTPD: ALL
ALL: 64.219.97.248 </code>

Thank you everyone.

[cburwell]

I was looking into this as well. I would like to make a script/program that would autmatically add ip's to hosts.deny after so many failed logins. In any case this article may help you out:

http://www.ssh.com/support/documenta...s_Support.html

[PortDreams]

Thanks for the link. For now, I'm using the denyhosts package which has added several ssh attacks to the deny file. But yes, I want to find a way to make it add all the services for failed logins.

[duralnux]

Here's a handy little program named DenyHosts that will monitor your logs and add IP addresses, according to how you define the configuration, and adds the offending host/IP to /etc/hosts.deny automagically.

[anomie]

What I want is to deny everyone the SSHD, FTP services and only allow my computer and domain to use them.

hosts.allow:

Code:

sshd : your.domain.here your.ip.here

hosts.deny:

Code:

sshd : ALL

[the bassinvader]

hi guys!!

I dont wanna be rude, but why bother adding individual ip adresses to
hosts_deny anyway!!

Pretty much everything i've read about tcp wrappers says hosts_deny only has to contain ALL : ALL. ie deny everybody everything and then open holes with hosts_allow.

what advantage is there to adding individual adresses?

[anomie]

what advantage is there to adding individual adresses?

None. Plus it makes the file unwieldy.