10-18-2010, 12:28 PM

Hey guys, I'm trying to figure out if there's a way that I can lock down SSH access into my iMac based on originating IP. In *nix you'd just edit the /etc/hosts.allow file with something like this:

sshd : 192.168.1.0/255.255.255.0 : ALLOW

But that doesn't seem to be working.

I'm actually having a hard time finding information on this so forgive me if this is a common question that I'm just not finding the answer to. If that's the case, can you point me to the documentation/thread/guide?

Thanks in advance!

10-18-2010, 01:02 PM

Have you tried restarting SSH? You can do that through the Sharing pref pane.

10-18-2010, 01:56 PM

Quote:

Originally Posted by vansmith

Have you tried restarting SSH? You can do that through the Sharing pref pane.

Hey, thanks for the reply.

I just tried restarting it to have the changes take effect: no dice.

I also tried a few different versions of the hosts.allow line (not all at once, one at a time):

sshd : 192.168.1.0/255.255.255.0 : ALLOW
sshd : 192.168.1.0/255.255.255.0
ssh : 192.168.1.0/255.255.255.0 : ALLOW
ssh : 192.168.1.0/255.255.255.0

10-18-2010, 02:04 PM

You don't have a hosts.deny do you?

Try this:
1. Setup a hosts.deny to see if that works (if it does, we know ssh is picking it up).
2. Try removing the subnet mask from the host section of your hosts.allow rule.

Also, something I just noticed know: why is the IP 192.168.1.0? That looks like it could be a router address.

10-18-2010, 02:25 PM

Subscribed out of curiosity. I usually use id_rsa and authorized_keys files. This will be educational for me. Good post!

10-18-2010, 02:41 PM

Quote:

Originally Posted by vansmith

You don't have a hosts.deny do you?

Try this:
1. Setup a hosts.deny to see if that works (if it does, we know ssh is picking it up).
2. Try removing the subnet mask from the host section of your hosts.allow rule.

Also, something I just noticed know: why is the IP 192.168.1.0? That looks like it could be a router address.

I tried removing the mask from the hosts.allow but it still doesn't work.

The host.deny file DOES work. I had this line in the hosts.deny:

sshd : ALL

As for the IP, it's not really the IP scope I'm using. I just don't like posting my real IP info

Hrmmm, why isn't the allow working...

10-18-2010, 02:44 PM

Have you seen this article?
HOWTO - Limiting Access to TCP-wrapped Services With hosts.allow

Also - what doesn't work? Are you saying that you try logging in to your machine through SSH it doesn't let you, or are you trying from an out of bounds IP and it still lets you?

I do the same as XJ-linux - I lock down ssh to only be able to log in with rsa keys.

edit
You posted the answer to my questions faster than I could ask.

Also - did you remove the sshd:ALL from your hosts.deny file? I believe this will override anything in hosts.allow

10-18-2010, 03:37 PM

Add + + to the allow file?

10-18-2010, 03:47 PM

Quote:

Originally Posted by IvanLasston

Have you seen this article?
HOWTO - Limiting Access to TCP-wrapped Services With hosts.allow

Also - what doesn't work? Are you saying that you try logging in to your machine through SSH it doesn't let you, or are you trying from an out of bounds IP and it still lets you?

I do the same as XJ-linux - I lock down ssh to only be able to log in with rsa keys.

edit
You posted the answer to my questions faster than I could ask.

Also - did you remove the sshd:ALL from your hosts.deny file? I believe this will override anything in hosts.allow

When I say it isn't working I mean to say that I'm still able to SSH in from servers that are not in my hosts.allow.

After adding the hosts.deny entry, it doesn't matter what I do with hosts.allow, everything gets rejected, so yeah, it overrides it apparently.

If I can't get this to work, it won't be terribly inconvenient to go the authorized keys route.

10-18-2010, 03:48 PM

Quote:

Originally Posted by XJ-linux

Add + + to the allow file?

I've never heard of this. What do you mean?

10-18-2010, 03:54 PM

TL ; DR - Did you try this FTA in hosts.allow?

Code:

	ssh : 10.0.3. : allow
	ssh : localhost : allow
	ssh : ALL : deny

10-18-2010, 04:01 PM

Okay, I figured it out. Mostly, the problem was due to my stupidity

Long story, short, a change was made to the network last week so I'm actually hitting the iMac from a different IP than I'm used to, the one I added to the hosts.allow.

That having been said, I found that I still needed to add "sshd : ALL : deny" to hosts.deny and "sshd : <IP> : allow" to the hosts.allow for it to work correctly.

Thanks for the help guys, sorry for wasting any of your time.

10-18-2010, 04:25 PM

Not a waste. Good thread, and more stimulating than: Will more RAM make my Mac faster?

10-18-2010, 09:46 PM

Quote:

Originally Posted by XJ-linux

Not a waste. Good thread, and more stimulating than: Will more RAM make my Mac faster?

+1 to that