SSH hosts.allow

Joined
Jan 15, 2010
Messages
8
Reaction score
1
Points
3
Hey guys, I'm trying to figure out if there's a way that I can lock down SSH access into my iMac based on originating IP. In *nix you'd just edit the /etc/hosts.allow file with something like this:

sshd : 192.168.1.0/255.255.255.0 : ALLOW

But that doesn't seem to be working.

I'm actually having a hard time finding information on this so forgive me if this is a common question that I'm just not finding the answer to. If that's the case, can you point me to the documentation/thread/guide?

Thanks in advance!
 

vansmith

Senior Member
Joined
Oct 19, 2008
Messages
19,924
Reaction score
559
Points
113
Location
Queensland
Your Mac's Specs
Mini (2014, 2018, 2020), MBA (2020), iPad Pro (2018), iPhone 13 Pro Max, Watch (S6)
Have you tried restarting SSH? You can do that through the Sharing pref pane.
 
OP
P
Joined
Jan 15, 2010
Messages
8
Reaction score
1
Points
3
Have you tried restarting SSH? You can do that through the Sharing pref pane.

Hey, thanks for the reply.

I just tried restarting it to have the changes take effect: no dice.

I also tried a few different versions of the hosts.allow line (not all at once, one at a time):

sshd : 192.168.1.0/255.255.255.0 : ALLOW
sshd : 192.168.1.0/255.255.255.0
ssh : 192.168.1.0/255.255.255.0 : ALLOW
ssh : 192.168.1.0/255.255.255.0
 

vansmith

Senior Member
Joined
Oct 19, 2008
Messages
19,924
Reaction score
559
Points
113
Location
Queensland
Your Mac's Specs
Mini (2014, 2018, 2020), MBA (2020), iPad Pro (2018), iPhone 13 Pro Max, Watch (S6)
You don't have a hosts.deny do you?

Try this:
1. Setup a hosts.deny to see if that works (if it does, we know ssh is picking it up).
2. Try removing the subnet mask from the host section of your hosts.allow rule.

Also, something I just noticed know: why is the IP 192.168.1.0? That looks like it could be a router address.
 
Joined
Jul 2, 2007
Messages
3,494
Reaction score
204
Points
63
Location
Going Galt...
Your Mac's Specs
MacBookAir5,2:10.13.6-iMac18,3:10.13.6-iPhone9,3:11.4.1
Subscribed out of curiosity. I usually use id_rsa and authorized_keys files. This will be educational for me. Good post! ;)
 
OP
P
Joined
Jan 15, 2010
Messages
8
Reaction score
1
Points
3
You don't have a hosts.deny do you?

Try this:
1. Setup a hosts.deny to see if that works (if it does, we know ssh is picking it up).
2. Try removing the subnet mask from the host section of your hosts.allow rule.

Also, something I just noticed know: why is the IP 192.168.1.0? That looks like it could be a router address.

I tried removing the mask from the hosts.allow but it still doesn't work.

The host.deny file DOES work. I had this line in the hosts.deny:

sshd : ALL

As for the IP, it's not really the IP scope I'm using. I just don't like posting my real IP info :)

Hrmmm, why isn't the allow working...
 
Joined
Feb 26, 2010
Messages
2,116
Reaction score
123
Points
63
Location
Rocky Mountain High, Colorado
Your Mac's Specs
1.8 GHz i7 MBA 11" OSX 10.8.2
Have you seen this article?
HOWTO - Limiting Access to TCP-wrapped Services With hosts.allow

Also - what doesn't work? Are you saying that you try logging in to your machine through SSH it doesn't let you, or are you trying from an out of bounds IP and it still lets you?

I do the same as XJ-linux - I lock down ssh to only be able to log in with rsa keys.

edit
You posted the answer to my questions faster than I could ask.

Also - did you remove the sshd:ALL from your hosts.deny file? I believe this will override anything in hosts.allow
 
Joined
Jul 2, 2007
Messages
3,494
Reaction score
204
Points
63
Location
Going Galt...
Your Mac's Specs
MacBookAir5,2:10.13.6-iMac18,3:10.13.6-iPhone9,3:11.4.1
Add + + to the allow file?
 
OP
P
Joined
Jan 15, 2010
Messages
8
Reaction score
1
Points
3
Have you seen this article?
HOWTO - Limiting Access to TCP-wrapped Services With hosts.allow

Also - what doesn't work? Are you saying that you try logging in to your machine through SSH it doesn't let you, or are you trying from an out of bounds IP and it still lets you?

I do the same as XJ-linux - I lock down ssh to only be able to log in with rsa keys.

edit
You posted the answer to my questions faster than I could ask.

Also - did you remove the sshd:ALL from your hosts.deny file? I believe this will override anything in hosts.allow


When I say it isn't working I mean to say that I'm still able to SSH in from servers that are not in my hosts.allow.

After adding the hosts.deny entry, it doesn't matter what I do with hosts.allow, everything gets rejected, so yeah, it overrides it apparently.

If I can't get this to work, it won't be terribly inconvenient to go the authorized keys route.
 
Joined
Feb 26, 2010
Messages
2,116
Reaction score
123
Points
63
Location
Rocky Mountain High, Colorado
Your Mac's Specs
1.8 GHz i7 MBA 11" OSX 10.8.2
TL ; DR - Did you try this FTA in hosts.allow?

Code:
	ssh : 10.0.3. : allow
	ssh : localhost : allow
	ssh : ALL : deny
 
OP
P
Joined
Jan 15, 2010
Messages
8
Reaction score
1
Points
3
Okay, I figured it out. Mostly, the problem was due to my stupidity :)

Long story, short, a change was made to the network last week so I'm actually hitting the iMac from a different IP than I'm used to, the one I added to the hosts.allow.

That having been said, I found that I still needed to add "sshd : ALL : deny" to hosts.deny and "sshd : <IP> : allow" to the hosts.allow for it to work correctly.

Thanks for the help guys, sorry for wasting any of your time.
 
Joined
Jul 2, 2007
Messages
3,494
Reaction score
204
Points
63
Location
Going Galt...
Your Mac's Specs
MacBookAir5,2:10.13.6-iMac18,3:10.13.6-iPhone9,3:11.4.1
Not a waste. Good thread, and more stimulating than: Will more RAM make my Mac faster? :)
 
Joined
Sep 9, 2009
Messages
5,473
Reaction score
201
Points
63
Location
Down Under :D
Your Mac's Specs
Back to my old 2.2GHz C2D MB after selling my MBP and wondering what my next Mac will be :)

Shop Amazon


Shop for your Apple, Mac, iPhone and other computer products on Amazon.
We are a participant in the Amazon Services LLC Associates Program, an affiliate program designed to provide a means for us to earn fees by linking to Amazon and affiliated sites.
Top