Find the answer to your Linux question:
Results 1 to 7 of 7
My FC5 box keeps getting hammered by what I assume is a dictionary attack. Here is part of my secure log: <code> --------------------- SSHD Begin ------------------------ Failed logins from: 216.75.41.2 ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Mar 2006
    Posts
    82

    hosts.allow and hosts.deny help


    My FC5 box keeps getting hammered by what I assume is a dictionary attack.

    Here is part of my secure log: <code>
    --------------------- SSHD Begin ------------------------


    Failed logins from:
    216.75.41.2 (otorongo.servidorauri01.com): 388 times

    Illegal users from:
    216.75.41.2 (otorongo.servidorauri01.com): 1169 times

    **Unmatched Entries**
    pam_succeed_if(sshd:auth): error retrieving information about user bancadaanr : 1 time(s)
    pam_succeed_if(sshd:auth): error retrieving information about user dperez : 1 time(s)
    pam_succeed_if(sshd:auth): error retrieving information about user susan : 1 time(s) </code>

    What I do is each day, I add the IP address from the "Failed logins" and "Unmatched Entries" into my hosts.deny (ALL: ip_address).

    1. Is this the best way to do this?
    2. Can you look at my hosts.allow and hosts.deny files and tell me if I have them setup correct? What I want is to deny everyone the SSHD, FTP services and only allow my computer and domain to use them.



    Below are my files:
    hosts.allow
    <code>
    # hosts.allow This file describes the names of the hosts which are
    # allowed to use the local INET services, as decided
    # by the '/usr/sbin/tcpd' server.
    #
    ALL: laptop-it1
    ALL: .mydomain.com
    ALL: 10.9.5.43 </code>



    hosts.deny
    <code>
    #
    # hosts.deny This file describes the names of the hosts which are
    # *not* allowed to use the local INET services, as decided
    # by the '/usr/sbin/tcpd' server.
    #
    # The portmap line is redundant, but it is left to remind you that
    # the new secure portmap uses hosts.deny and hosts.allow. In particular
    # you should know that NFS uses portmap!
    ALL: 211.37.210.20
    ALL: 210.64.111.3
    ALL: 202.159.228.85
    ALL: 210.21.24.13
    ALL: 202.159.228.85
    ALL: 221.224.3.78
    ALL: .HINET.NET
    ALL: 211.41.179.61
    ALL: 217.21.126.22
    ALL: 205.196.179.236
    ALL: 211.137.44.113
    ALL: 220.200.163.110
    ALL: 211.33.40.5
    ALL: 83.111.70.73
    ALL: 210.192.102.22
    ALL: 218.14.253.200
    all: 64.219.97.248
    ALL: SSHD
    FTPD: ALL
    ALL: 64.219.97.248 </code>

    Thank you everyone.

  2. #2
    Just Joined!
    Join Date
    Nov 2004
    Posts
    48
    I was looking into this as well. I would like to make a script/program that would autmatically add ip's to hosts.deny after so many failed logins. In any case this article may help you out:

    http://www.ssh.com/support/documenta...s_Support.html

  3. #3
    Just Joined!
    Join Date
    Mar 2006
    Posts
    82
    Thanks for the link. For now, I'm using the denyhosts package which has added several ssh attacks to the deny file. But yes, I want to find a way to make it add all the services for failed logins.

  4. $spacer_open
    $spacer_close
  5. #4
    Just Joined!
    Join Date
    Jan 2007
    Posts
    1

    DenyHosts

    Here's a handy little program named DenyHosts that will monitor your logs and add IP addresses, according to how you define the configuration, and adds the offending host/IP to /etc/hosts.deny automagically.

  6. #5
    Linux Guru anomie's Avatar
    Join Date
    Mar 2005
    Location
    Texas
    Posts
    1,692
    What I want is to deny everyone the SSHD, FTP services and only allow my computer and domain to use them.
    hosts.allow:
    Code:
    sshd : your.domain.here your.ip.here
    hosts.deny:
    Code:
    sshd : ALL

  7. #6
    Linux Newbie the bassinvader's Avatar
    Join Date
    Jun 2006
    Location
    Europe
    Posts
    168

    why bother?!?!

    hi guys!!

    I dont wanna be rude, but why bother adding individual ip adresses to
    hosts_deny anyway!!

    Pretty much everything i've read about tcp wrappers says hosts_deny only has to contain ALL : ALL. ie deny everybody everything and then open holes with hosts_allow.

    what advantage is there to adding individual adresses?

    " I didn't know it was a picture of his wife! I thought it was a publicity shot form Planet Of the Apes."

  8. #7
    Linux Guru anomie's Avatar
    Join Date
    Mar 2005
    Location
    Texas
    Posts
    1,692
    what advantage is there to adding individual adresses?
    None. Plus it makes the file unwieldy.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •