Results 1 to 14 of 14

Thread: SSH hosts.allow

  1. #1


    Member Since
    Jan 15, 2010
    Posts
    8
    SSH hosts.allow
    Hey guys, I'm trying to figure out if there's a way that I can lock down SSH access into my iMac based on originating IP. In *nix you'd just edit the /etc/hosts.allow file with something like this:

    sshd : 192.168.1.0/255.255.255.0 : ALLOW

    But that doesn't seem to be working.

    I'm actually having a hard time finding information on this so forgive me if this is a common question that I'm just not finding the answer to. If that's the case, can you point me to the documentation/thread/guide?

    Thanks in advance!

  2. #2

    vansmith's Avatar
    Member Since
    Oct 19, 2008
    Location
    Toronto
    Posts
    19,782
    Specs:
    2012 13" MBP (2.5 i5, 8GB)
    Have you tried restarting SSH? You can do that through the Sharing pref pane.
    Important Links: Community Guidelines : Use the reputation system if you've been helped.
    M-F Blog :: Write for the blog
    Writing a Quality Post

  3. #3


    Member Since
    Jan 15, 2010
    Posts
    8
    Quote Originally Posted by vansmith View Post
    Have you tried restarting SSH? You can do that through the Sharing pref pane.
    Hey, thanks for the reply.

    I just tried restarting it to have the changes take effect: no dice.

    I also tried a few different versions of the hosts.allow line (not all at once, one at a time):

    sshd : 192.168.1.0/255.255.255.0 : ALLOW
    sshd : 192.168.1.0/255.255.255.0
    ssh : 192.168.1.0/255.255.255.0 : ALLOW
    ssh : 192.168.1.0/255.255.255.0

  4. #4

    vansmith's Avatar
    Member Since
    Oct 19, 2008
    Location
    Toronto
    Posts
    19,782
    Specs:
    2012 13" MBP (2.5 i5, 8GB)
    You don't have a hosts.deny do you?

    Try this:
    1. Setup a hosts.deny to see if that works (if it does, we know ssh is picking it up).
    2. Try removing the subnet mask from the host section of your hosts.allow rule.

    Also, something I just noticed know: why is the IP 192.168.1.0? That looks like it could be a router address.
    Important Links: Community Guidelines : Use the reputation system if you've been helped.
    M-F Blog :: Write for the blog
    Writing a Quality Post

  5. #5

    XJ-linux's Avatar
    Member Since
    Jul 02, 2007
    Location
    Going Galt...
    Posts
    3,451
    Specs:
    MacBookAir5,2:10.9.5-MacMini3,1:10.9.5-iPhone6,1:8.4.1
    Subscribed out of curiosity. I usually use id_rsa and authorized_keys files. This will be educational for me. Good post!
    Never judge a man, untill you have walked a mile in his shoes...
    That way you'll be a mile away from him, and you'll have his shoes.

  6. #6


    Member Since
    Jan 15, 2010
    Posts
    8
    Quote Originally Posted by vansmith View Post
    You don't have a hosts.deny do you?

    Try this:
    1. Setup a hosts.deny to see if that works (if it does, we know ssh is picking it up).
    2. Try removing the subnet mask from the host section of your hosts.allow rule.

    Also, something I just noticed know: why is the IP 192.168.1.0? That looks like it could be a router address.
    I tried removing the mask from the hosts.allow but it still doesn't work.

    The host.deny file DOES work. I had this line in the hosts.deny:

    sshd : ALL

    As for the IP, it's not really the IP scope I'm using. I just don't like posting my real IP info

    Hrmmm, why isn't the allow working...

  7. #7

    IvanLasston's Avatar
    Member Since
    Feb 26, 2010
    Location
    Rocky Mountain High, Colorado
    Posts
    2,116
    Specs:
    1.8 GHz i7 MBA 11" OSX 10.8.2
    Have you seen this article?
    HOWTO - Limiting Access to TCP-wrapped Services With hosts.allow

    Also - what doesn't work? Are you saying that you try logging in to your machine through SSH it doesn't let you, or are you trying from an out of bounds IP and it still lets you?

    I do the same as XJ-linux - I lock down ssh to only be able to log in with rsa keys.

    edit
    You posted the answer to my questions faster than I could ask.

    Also - did you remove the sshd:ALL from your hosts.deny file? I believe this will override anything in hosts.allow

  8. #8

    XJ-linux's Avatar
    Member Since
    Jul 02, 2007
    Location
    Going Galt...
    Posts
    3,451
    Specs:
    MacBookAir5,2:10.9.5-MacMini3,1:10.9.5-iPhone6,1:8.4.1
    Add + + to the allow file?
    Never judge a man, untill you have walked a mile in his shoes...
    That way you'll be a mile away from him, and you'll have his shoes.

  9. #9


    Member Since
    Jan 15, 2010
    Posts
    8
    Quote Originally Posted by IvanLasston View Post
    Have you seen this article?
    HOWTO - Limiting Access to TCP-wrapped Services With hosts.allow

    Also - what doesn't work? Are you saying that you try logging in to your machine through SSH it doesn't let you, or are you trying from an out of bounds IP and it still lets you?

    I do the same as XJ-linux - I lock down ssh to only be able to log in with rsa keys.

    edit
    You posted the answer to my questions faster than I could ask.

    Also - did you remove the sshd:ALL from your hosts.deny file? I believe this will override anything in hosts.allow

    When I say it isn't working I mean to say that I'm still able to SSH in from servers that are not in my hosts.allow.

    After adding the hosts.deny entry, it doesn't matter what I do with hosts.allow, everything gets rejected, so yeah, it overrides it apparently.

    If I can't get this to work, it won't be terribly inconvenient to go the authorized keys route.

  10. #10


    Member Since
    Jan 15, 2010
    Posts
    8
    Quote Originally Posted by XJ-linux View Post
    Add + + to the allow file?
    I've never heard of this. What do you mean?

  11. #11

    IvanLasston's Avatar
    Member Since
    Feb 26, 2010
    Location
    Rocky Mountain High, Colorado
    Posts
    2,116
    Specs:
    1.8 GHz i7 MBA 11" OSX 10.8.2
    TL ; DR - Did you try this FTA in hosts.allow?

    Code:
    	ssh : 10.0.3. : allow
    	ssh : localhost : allow
    	ssh : ALL : deny

  12. #12


    Member Since
    Jan 15, 2010
    Posts
    8
    Okay, I figured it out. Mostly, the problem was due to my stupidity

    Long story, short, a change was made to the network last week so I'm actually hitting the iMac from a different IP than I'm used to, the one I added to the hosts.allow.

    That having been said, I found that I still needed to add "sshd : ALL : deny" to hosts.deny and "sshd : <IP> : allow" to the hosts.allow for it to work correctly.

    Thanks for the help guys, sorry for wasting any of your time.

  13. #13

    XJ-linux's Avatar
    Member Since
    Jul 02, 2007
    Location
    Going Galt...
    Posts
    3,451
    Specs:
    MacBookAir5,2:10.9.5-MacMini3,1:10.9.5-iPhone6,1:8.4.1
    Not a waste. Good thread, and more stimulating than: Will more RAM make my Mac faster?
    Never judge a man, untill you have walked a mile in his shoes...
    That way you'll be a mile away from him, and you'll have his shoes.

  14. #14


    Member Since
    Sep 09, 2009
    Location
    Down Under :D
    Posts
    5,484
    Specs:
    Back to my old 2.2GHz C2D MB after selling my MBP and wondering what my next Mac will be :)
    Quote Originally Posted by XJ-linux View Post
    Not a waste. Good thread, and more stimulating than: Will more RAM make my Mac faster?
    +1 to that

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. hosts.allow
    By akash0310 in forum OS X - Operating System
    Replies: 1
    Last Post: 01-22-2014, 02:38 PM
  2. SSH not listening to SSH port
    By rameses in forum OS X - Operating System
    Replies: 2
    Last Post: 01-04-2013, 07:39 AM
  3. Virtual hosts
    By mikeeeo_o in forum Web Design and Hosting
    Replies: 4
    Last Post: 01-01-2009, 02:33 PM
  4. Hosts Files?
    By vonedaddy in forum Switcher Hangout
    Replies: 6
    Last Post: 01-25-2007, 06:52 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •