HOWTO Setup Deny Hosts: Difference between revisions
Jjaythomas (talk | contribs) No edit summary |
Jjaythomas (talk | contribs) No edit summary |
||
| Line 1: | Line 1: | ||
<font color=red>hostname</font> <font color=blue>~ #</font> '''emerge -pv net-misc/openssh''' | |||
[ebuild <font color=green>R</font> ] <font color=green>net-misc/openssh-x.x</font> USE="<font color=red>'''tcpd'''</font><font color=blue></font>" | |||
* There will be more USE flags listed in addition to '''tcpd''' but it is the only necessary flag for this setup. | |||
emerge -vp openssh | emerge -vp openssh | ||
[ebuild R ] net-misc/openssh-4.7_p1-r1 USE="pam tcpd | [ebuild R ] net-misc/openssh-4.7_p1-r1 USE="pam tcpd | ||
| Line 31: | Line 36: | ||
/etc/init.d/denyhosts start | /etc/init.d/denyhosts start | ||
== Purpose == | |||
TCPWrappers can effectively control access to services which have tcpwrapper support compiled in. The controlling daemon is '''tcpd''', which is automatically pulled in whenever the '''tcpd''' USE flag in enabled (Gentoo Linux). | |||
== Setup == | |||
In this example, we'll use the SSH (Secure Shell) daemon, because it's one of the first services we want to have secured.<br> | |||
First, verify that SSH has tcpwrapper support (tcpd flag indicates it does, in this example): | |||
<font color=red>hostname</font> <font color=blue>~ #</font> '''emerge -pv net-misc/openssh''' | |||
[ebuild <font color=yellow>R</font> ] <font color=green>net-misc/openssh-4.3_p2-r5</font> USE="<font color=red>ipv6 ldap pam '''tcpd'''</font><font color=blue> -X -X509 -chroot -hpn -kerberos -libedit (-selinux) -sftplogging -skey -smartcard -static</font>" | |||
== Configure == | |||
The goal with SSH and tcpwrappers is to allow anyone within the SFU IP-address range to have access to SSH, and deny everyone else. We'll do this by editing the '''/etc/hosts.deny''' file (which won't initially exist, but once created - it will be in effect. There is no need to re-start the sshd daemon, because hosts.deny is consulted on each connect-attempt, and is therefore immediately in-effect after saving). Here's an example: | |||
# /etc/hosts.deny This file describes the names of the hosts which are | |||
# *not* allowed to use the specified services, as decided | |||
# by the '/usr/sbin/tcpd' server. | |||
# Authour: Gordon Pritchard <gordonp@sfu.c | |||
Revision as of 04:10, 16 April 2008
hostname ~ # emerge -pv net-misc/openssh [ebuild R ] net-misc/openssh-x.x USE="tcpd"
- There will be more USE flags listed in addition to tcpd but it is the only necessary flag for this setup.
emerge -vp openssh [ebuild R ] net-misc/openssh-4.7_p1-r1 USE="pam tcpd
emerge -vp denyhosts
rc-update add denyhosts default
vi /etc/denyhosts.conf
PURGE_DENY =2h
PURGE_THRESHOLD = 3
BLOCK_SERVICE = ALL
REM out BLOCK_SERVICE = sshd
DENY_THRESHOLD_ROOT = 4
SYSLOG_REPORT=YES
SYNC_SERVER = http://xmlrpc.denyhosts.net:9911
SYNC_INTERVAL = 1h
SYNC_UPLOAD = yes
SYNC_DOWNLOAD = yes
SYNC_DOWNLOAD_THRESHOLD = 3
/etc/init.d/denyhosts start
Purpose
TCPWrappers can effectively control access to services which have tcpwrapper support compiled in. The controlling daemon is tcpd, which is automatically pulled in whenever the tcpd USE flag in enabled (Gentoo Linux).
Setup
In this example, we'll use the SSH (Secure Shell) daemon, because it's one of the first services we want to have secured.
First, verify that SSH has tcpwrapper support (tcpd flag indicates it does, in this example):
hostname ~ # emerge -pv net-misc/openssh [ebuild R ] net-misc/openssh-4.3_p2-r5 USE="ipv6 ldap pam tcpd -X -X509 -chroot -hpn -kerberos -libedit (-selinux) -sftplogging -skey -smartcard -static"
Configure
The goal with SSH and tcpwrappers is to allow anyone within the SFU IP-address range to have access to SSH, and deny everyone else. We'll do this by editing the /etc/hosts.deny file (which won't initially exist, but once created - it will be in effect. There is no need to re-start the sshd daemon, because hosts.deny is consulted on each connect-attempt, and is therefore immediately in-effect after saving). Here's an example:
# /etc/hosts.deny This file describes the names of the hosts which are # *not* allowed to use the specified services, as decided # by the '/usr/sbin/tcpd' server. # Authour: Gordon Pritchard <gordonp@sfu.c