New To Mac-Forums?

Welcome to our community! Join the discussion today by registering your FREE account. If you have any problems with the registration process, please contact us!

Get your questions answered by community gurus Advice and insight from world-class Apple enthusiasts Exclusive access to members-only contests, giveaways and deals

Join today!

 
Start a Discussion
 

Mac-Forums Brief

Subscribe to Mac-Forums Brief to receive special offers from Mac-Forums partners and sponsors

Join the conversation RSS
OS X - Operating System General OS operation information and support

SSH hosts.allow


Post Reply New Thread Subscribe

 
Thread Tools
Paul133

 
Member Since: Jan 15, 2010
Posts: 8
Paul133 is on a distinguished road

Paul133 is offline
Hey guys, I'm trying to figure out if there's a way that I can lock down SSH access into my iMac based on originating IP. In *nix you'd just edit the /etc/hosts.allow file with something like this:

sshd : 192.168.1.0/255.255.255.0 : ALLOW

But that doesn't seem to be working.

I'm actually having a hard time finding information on this so forgive me if this is a common question that I'm just not finding the answer to. If that's the case, can you point me to the documentation/thread/guide?

Thanks in advance!
QUOTE Thanks
vansmith

 
vansmith's Avatar
 
Member Since: Oct 19, 2008
Location: Toronto
Posts: 18,354
vansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond repute
Mac Specs: 2012 13" MBP (2.5 i5, 8GB)

vansmith is offline
Have you tried restarting SSH? You can do that through the Sharing pref pane.

Important Links: Community Guidelines : Use the reputation system if you've been helped.
M-F Blog :: Write for the blog
Writing a Quality Post
QUOTE Thanks
Paul133

 
Member Since: Jan 15, 2010
Posts: 8
Paul133 is on a distinguished road

Paul133 is offline
Quote:
Originally Posted by vansmith View Post
Have you tried restarting SSH? You can do that through the Sharing pref pane.
Hey, thanks for the reply.

I just tried restarting it to have the changes take effect: no dice.

I also tried a few different versions of the hosts.allow line (not all at once, one at a time):

sshd : 192.168.1.0/255.255.255.0 : ALLOW
sshd : 192.168.1.0/255.255.255.0
ssh : 192.168.1.0/255.255.255.0 : ALLOW
ssh : 192.168.1.0/255.255.255.0
QUOTE Thanks
vansmith

 
vansmith's Avatar
 
Member Since: Oct 19, 2008
Location: Toronto
Posts: 18,354
vansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond repute
Mac Specs: 2012 13" MBP (2.5 i5, 8GB)

vansmith is offline
You don't have a hosts.deny do you?

Try this:
1. Setup a hosts.deny to see if that works (if it does, we know ssh is picking it up).
2. Try removing the subnet mask from the host section of your hosts.allow rule.

Also, something I just noticed know: why is the IP 192.168.1.0? That looks like it could be a router address.

Important Links: Community Guidelines : Use the reputation system if you've been helped.
M-F Blog :: Write for the blog
Writing a Quality Post
QUOTE Thanks
XJ-linux

 
XJ-linux's Avatar
 
Member Since: Jul 02, 2007
Location: Going Galt...
Posts: 3,363
XJ-linux has a reputation beyond reputeXJ-linux has a reputation beyond reputeXJ-linux has a reputation beyond reputeXJ-linux has a reputation beyond reputeXJ-linux has a reputation beyond reputeXJ-linux has a reputation beyond reputeXJ-linux has a reputation beyond reputeXJ-linux has a reputation beyond reputeXJ-linux has a reputation beyond reputeXJ-linux has a reputation beyond reputeXJ-linux has a reputation beyond repute
Mac Specs: MacBookAir5,2:10.9.5-MacMini3,1:10.9.5-iPhone6,1:8.1

XJ-linux is offline
Subscribed out of curiosity. I usually use id_rsa and authorized_keys files. This will be educational for me. Good post!

"Those who don't understand Unix are condemned to reinvent it, poorly." Henry Spencer
QUOTE Thanks
Paul133

 
Member Since: Jan 15, 2010
Posts: 8
Paul133 is on a distinguished road

Paul133 is offline
Quote:
Originally Posted by vansmith View Post
You don't have a hosts.deny do you?

Try this:
1. Setup a hosts.deny to see if that works (if it does, we know ssh is picking it up).
2. Try removing the subnet mask from the host section of your hosts.allow rule.

Also, something I just noticed know: why is the IP 192.168.1.0? That looks like it could be a router address.
I tried removing the mask from the hosts.allow but it still doesn't work.

The host.deny file DOES work. I had this line in the hosts.deny:

sshd : ALL

As for the IP, it's not really the IP scope I'm using. I just don't like posting my real IP info

Hrmmm, why isn't the allow working...
QUOTE Thanks
IvanLasston

 
IvanLasston's Avatar
 
Member Since: Feb 26, 2010
Location: Rocky Mountain High, Colorado
Posts: 2,116
IvanLasston is a splendid one to beholdIvanLasston is a splendid one to beholdIvanLasston is a splendid one to beholdIvanLasston is a splendid one to beholdIvanLasston is a splendid one to beholdIvanLasston is a splendid one to beholdIvanLasston is a splendid one to beholdIvanLasston is a splendid one to behold
Mac Specs: 1.8 GHz i7 MBA 11" OSX 10.8.2

IvanLasston is offline
Have you seen this article?
HOWTO - Limiting Access to TCP-wrapped Services With hosts.allow

Also - what doesn't work? Are you saying that you try logging in to your machine through SSH it doesn't let you, or are you trying from an out of bounds IP and it still lets you?

I do the same as XJ-linux - I lock down ssh to only be able to log in with rsa keys.

edit
You posted the answer to my questions faster than I could ask.

Also - did you remove the sshd:ALL from your hosts.deny file? I believe this will override anything in hosts.allow
QUOTE Thanks
XJ-linux

 
XJ-linux's Avatar
 
Member Since: Jul 02, 2007
Location: Going Galt...
Posts: 3,363
XJ-linux has a reputation beyond reputeXJ-linux has a reputation beyond reputeXJ-linux has a reputation beyond reputeXJ-linux has a reputation beyond reputeXJ-linux has a reputation beyond reputeXJ-linux has a reputation beyond reputeXJ-linux has a reputation beyond reputeXJ-linux has a reputation beyond reputeXJ-linux has a reputation beyond reputeXJ-linux has a reputation beyond reputeXJ-linux has a reputation beyond repute
Mac Specs: MacBookAir5,2:10.9.5-MacMini3,1:10.9.5-iPhone6,1:8.1

XJ-linux is offline
Add + + to the allow file?

"Those who don't understand Unix are condemned to reinvent it, poorly." Henry Spencer
QUOTE Thanks
Paul133

 
Member Since: Jan 15, 2010
Posts: 8
Paul133 is on a distinguished road

Paul133 is offline
Quote:
Originally Posted by IvanLasston View Post
Have you seen this article?
HOWTO - Limiting Access to TCP-wrapped Services With hosts.allow

Also - what doesn't work? Are you saying that you try logging in to your machine through SSH it doesn't let you, or are you trying from an out of bounds IP and it still lets you?

I do the same as XJ-linux - I lock down ssh to only be able to log in with rsa keys.

edit
You posted the answer to my questions faster than I could ask.

Also - did you remove the sshd:ALL from your hosts.deny file? I believe this will override anything in hosts.allow

When I say it isn't working I mean to say that I'm still able to SSH in from servers that are not in my hosts.allow.

After adding the hosts.deny entry, it doesn't matter what I do with hosts.allow, everything gets rejected, so yeah, it overrides it apparently.

If I can't get this to work, it won't be terribly inconvenient to go the authorized keys route.
QUOTE Thanks
Paul133

 
Member Since: Jan 15, 2010
Posts: 8
Paul133 is on a distinguished road

Paul133 is offline
Quote:
Originally Posted by XJ-linux View Post
Add + + to the allow file?
I've never heard of this. What do you mean?
QUOTE Thanks
IvanLasston

 
IvanLasston's Avatar
 
Member Since: Feb 26, 2010
Location: Rocky Mountain High, Colorado
Posts: 2,116
IvanLasston is a splendid one to beholdIvanLasston is a splendid one to beholdIvanLasston is a splendid one to beholdIvanLasston is a splendid one to beholdIvanLasston is a splendid one to beholdIvanLasston is a splendid one to beholdIvanLasston is a splendid one to beholdIvanLasston is a splendid one to behold
Mac Specs: 1.8 GHz i7 MBA 11" OSX 10.8.2

IvanLasston is offline
TL ; DR - Did you try this FTA in hosts.allow?

Code:
	ssh : 10.0.3. : allow
	ssh : localhost : allow
	ssh : ALL : deny
QUOTE Thanks
Paul133

 
Member Since: Jan 15, 2010
Posts: 8
Paul133 is on a distinguished road

Paul133 is offline
Okay, I figured it out. Mostly, the problem was due to my stupidity

Long story, short, a change was made to the network last week so I'm actually hitting the iMac from a different IP than I'm used to, the one I added to the hosts.allow.

That having been said, I found that I still needed to add "sshd : ALL : deny" to hosts.deny and "sshd : <IP> : allow" to the hosts.allow for it to work correctly.

Thanks for the help guys, sorry for wasting any of your time.
QUOTE Thanks
XJ-linux

 
XJ-linux's Avatar
 
Member Since: Jul 02, 2007
Location: Going Galt...
Posts: 3,363
XJ-linux has a reputation beyond reputeXJ-linux has a reputation beyond reputeXJ-linux has a reputation beyond reputeXJ-linux has a reputation beyond reputeXJ-linux has a reputation beyond reputeXJ-linux has a reputation beyond reputeXJ-linux has a reputation beyond reputeXJ-linux has a reputation beyond reputeXJ-linux has a reputation beyond reputeXJ-linux has a reputation beyond reputeXJ-linux has a reputation beyond repute
Mac Specs: MacBookAir5,2:10.9.5-MacMini3,1:10.9.5-iPhone6,1:8.1

XJ-linux is offline
Not a waste. Good thread, and more stimulating than: Will more RAM make my Mac faster?

"Those who don't understand Unix are condemned to reinvent it, poorly." Henry Spencer
QUOTE Thanks
6string

 
Member Since: Sep 09, 2009
Location: Down Under :D
Posts: 5,484
6string is a splendid one to behold6string is a splendid one to behold6string is a splendid one to behold6string is a splendid one to behold6string is a splendid one to behold6string is a splendid one to behold6string is a splendid one to behold6string is a splendid one to behold
Mac Specs: Back to my old 2.2GHz C2D MB after selling my MBP and wondering what my next Mac will be :)

6string is offline
Quote:
Originally Posted by XJ-linux View Post
Not a waste. Good thread, and more stimulating than: Will more RAM make my Mac faster?
+1 to that
QUOTE Thanks

Post Reply New Thread Subscribe


« Snow Leopard Installation Taking Hours... | Icon problems »
Thread Tools

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off
Forum Jump

Similar Threads
Thread
Thread Starter
Forum
Replies
Last Post
SSH w/public key ibm/ubuntu to mac/snow leopard abl7635 Running Windows (or anything else) on your Mac 0 07-07-2010 09:13 PM
ssh problem bluesunquake OS X - Apps and Games 1 05-06-2009 10:13 PM
SSH problem... moebius OS X - Operating System 2 11-17-2008 11:30 PM
Creating SSH tunnels in Leopard morgandeano OS X - Operating System 2 02-06-2008 09:22 AM
Can anybody walk me through SSH and Firewalls using ARD coincopy OS X - Apps and Games 0 01-27-2007 11:48 AM

All times are GMT -4. The time now is 11:06 PM.

Powered by vBulletin
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
X

Welcome to Mac-Forums.com

Create your username to jump into the discussion!

New members like you have made this community the ultimate source for your Mac since 2003!


(4 digit year)

Already a member?