hosts.allow and ssh problem
Eric Schuele
e.schuele at computer.org
Fri May 19 19:58:26 PDT 2006
jekillen wrote:
> Hello all;
> I am trying to deny ftp access to my web site from out side. I have two
> nics on the server and access it from the inside network via one and
> serve to the public on the other.
> I tried to write a rule in hosts.allow to deny ftp connections to the
> public ip address which has worked. But a side effect is that I can now
> not connect from local machines via
> ssh. I reverted back to 'ALL : all ; allow' to confirm that that was in
> deed why ssh started refusing connections, as it now will accept
> connections. I even ssh'd to one machine
> and while in that shell, ssh'd to the server and got in to the server
> via another machine on the local network.
> I am concerned because I have had repeated attempts to login to the
> server over ftp from outside. I do all the development and posting from
> local
> network so there is no reason whatsoever for anyone from the out side to
> get ftp access to my site.
> How can I do this in hosts.allow?
> A few nights ago I noticed odd activity on the router (leds going
> bananas) so I did tcpdump on the server and saw a great deal of ftp
> activity that didn't look right, from
> foreign addresses. I shut the web server and the secondary dns server
> down while I dug through Absolute FreeBSD to get some direction.
> I can live with ssh refusing local connections but I don't think it
> should be that way.
> Thanks in advance;
> JK
>
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe at freebsd.org"
>
Default to denying everything... and then add rules to allow the few you
would like to have access. Here is a snippet from my hosts.allow.
sshd : A.B.C.D : allow
sshd : SomeHostName : allow
sshd : D.E.F.0/255.255.255.0 : allow
sshd : H.I.J.0/255.255.255.0 : allow
sshd : ALL : deny
sendmail : localhost : allow
sendmail : ALL : deny
cupsd : localhost : allow
cupsd : ALL : deny
# ftpd does not have tcpwrappers :(
# must run via inetd context
ftpd : localhost : allow
ftpd : A.B.C.D : allow
ftpd : ALL : deny
# DENY DENY DENY
ALL : ALL : deny
replace alpha chars with appropriate ip addresses. See 'man hosts.allow'
Note that a firewall would be quite helpful as well. But that's another
post.
HTH,
--
Regards,
Eric
More information about the freebsd-questions
mailing list