tomp
02-22-2005, 06:55 PM
A quick tutorial on how to configure tcp wrapper for SSH on your VDS or dedicated server. More detailed information can be obtained by looking at the man pages - 'man hosts.allow' - 'man hosts.deny'.
In a nutshell tcp wrapper can be used to control access to your server via SSH (and other daemons). It can be used in combination with a local firewall (iptables, ipchains, ipfw) or standalone.
From the man page -
The access control software consults two files. The search stops at the
first match:
· Access will be granted when a (daemon,client) pair matches an
entry in the /etc/hosts.allow file.
· Otherwise, access will be denied when a (daemon,client) pair
matches an entry in the /etc/hosts.deny file.
· Otherwise, access will be granted.
A very simplistic tcp wrapper implementation:
# Control access to SSH
vi /etc/hosts.allow
# Allow me access from home on IP 192.168.1.1
SSHD: 192.168.1.1
# Allow me access from work on IP 10.0.1.0/24
SSHD: 10.0.1.
vi /etc/hosts.deny
# Deny all other SSH attempts
SSHD: ALL
In the above example you will be able to connect via SSH from the IP address 192.168.1.1 and the netblock 10.0.1.0/24 (which includes IP address 10.0.1.1 through 10.0.1.254).
To verify tcp wrapper is working by attempting to connect from an IP address not in /etc/hosts.allow. You should see something similar in your logs (/var/log/secure):
Feb 20 08:05:46 server sshd[8273]: refused connect from 218.236.84.82 (218.236.84.82)
Above, you see the date, time, hostname, process (sshd), process id (8273) and the IP address where the person was attempting to connect from.
tcp wrapper is an excellent way to enchance security on your VDS or dedicated server and is not limited to just SSH.
Tom
In a nutshell tcp wrapper can be used to control access to your server via SSH (and other daemons). It can be used in combination with a local firewall (iptables, ipchains, ipfw) or standalone.
From the man page -
The access control software consults two files. The search stops at the
first match:
· Access will be granted when a (daemon,client) pair matches an
entry in the /etc/hosts.allow file.
· Otherwise, access will be denied when a (daemon,client) pair
matches an entry in the /etc/hosts.deny file.
· Otherwise, access will be granted.
A very simplistic tcp wrapper implementation:
# Control access to SSH
vi /etc/hosts.allow
# Allow me access from home on IP 192.168.1.1
SSHD: 192.168.1.1
# Allow me access from work on IP 10.0.1.0/24
SSHD: 10.0.1.
vi /etc/hosts.deny
# Deny all other SSH attempts
SSHD: ALL
In the above example you will be able to connect via SSH from the IP address 192.168.1.1 and the netblock 10.0.1.0/24 (which includes IP address 10.0.1.1 through 10.0.1.254).
To verify tcp wrapper is working by attempting to connect from an IP address not in /etc/hosts.allow. You should see something similar in your logs (/var/log/secure):
Feb 20 08:05:46 server sshd[8273]: refused connect from 218.236.84.82 (218.236.84.82)
Above, you see the date, time, hostname, process (sshd), process id (8273) and the IP address where the person was attempting to connect from.
tcp wrapper is an excellent way to enchance security on your VDS or dedicated server and is not limited to just SSH.
Tom