Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the 'Doesn't work in 10.0.1 release?' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Doesn't work in 10.0.1 release?
Authored by: gabester on Apr 26, '01 12:36:55PM

I've been trying to do this on the latest release.
I'll grant that the only service I'm currently
using is SSH, but I cannot seem to deny access
from anywhere.

I'm using the following format; what am I
doing wrong?

sshd : localhost 127.0.0.1 : allow
sshd : 192.168.1.10 : allow
sshd : 192.168.1.0/255.255.255.0
sshd : ALL : deny

My limited understanding says this should block
access from all machines using ssh to connect
except localhost and one other on my lan.
However, I can access from any machine on my
lan without difficulty.

Is there something that needs to be done to
activate this in 10.0.1?



[ Reply to This | # ]
Doesn't work in 10.0.1 release?
Authored by: moby1 on Apr 26, '01 08:05:07PM

Try moving the "Deny" statement BEFORE the "Allow" statement.

Also shouldn't it be "deny: all".

Remember to restart the server after that.

WARNING: I'm just a Linux newbie and by following my advise you may experience diziness, fatigue and sweating. Continued use of my advise may cause wheezing and a general feeling of confusion and disorientation. Use with caution.



[ Reply to This | # ]
Doesn't work in 10.0.1 release?
Authored by: patpro on Apr 27, '01 07:51:38AM

syntax looks ok except for the 3rd line :

sshd : 192.168.1.0/255.255.255.0

that should be either

sshd : 192.168.1.0/255.255.255.0 : deny

or

sshd : 192.168.1.0/255.255.255.0 : allow

If it does not solve your problem, it may be due to SSH compilation. I guess you are using SSH provided by Apple. Unfortunately SSH must be specificaly compiled to use TCP Wrapper. I don't know if --with-tcp-wrapper was used on Apple's SSH.

h.t.h.



[ Reply to This | # ]
Doesn't work in 10.0.1 release?
Authored by: Anon on Aug 01, '01 06:23:44PM

You need to create a file called /etc/hosts.deny with the following line:

ALL: ALL

That will deny everything that you haven't allowed



[ Reply to This | # ]
Doesn't work in 10.0.1 release?
Authored by: therav! on Jun 22, '02 04:32:44AM

sshd : localhost 127.0.0.1 : allow
sshd : 192.168.1.10 : allow
sshd : 192.168.1.0/255.255.255.0
sshd : ALL : deny

actually the above syntax is not correct. or at least not if you enter it exactly like that. what you would do is create both a hosts.allow and hosts.deny file in the hosts.deny file you would enter ALL:ALL
in the hosts.allow file you would enter sshd:127.0.0.1,192.168.1.

if in the deny list you don't want to deny all services but just the sshd daemon then alternatively you could enter sshd: ALL in the deny file. But generally, from a security perspective, you should deny everything to everyone and then explicitly allow only what you need to allow in the hosts.allow file.



[ Reply to This | # ]