The all:all:deny should be on a separate line...

-----Original Message----- From: aaron hirsch Sent: Thursday, October 21, 2004 9:00 AM To: kclug@kclug.org Subject: RE: It was bound to happen - suspected hack

I'd modify the hosts.allow file a bit more...

i.e.

sshd: localhost 192.168.0.0/255.255.255.0 12.30.163.* ALL:ALL:DENY

This is a "catch-all" that is a best practice just incase the hosts.deny is misconfigured or not configured at all, although the ALL:ALL in your hosts.deny is correct. It will deny access to all services that tcpd monitors to everything as a last resort. Hence, if it's not explicitly defined to be allowed, it is by default denied.

Just an idea...

-----Original Message----- From: Jon Moss [mailto:jon.moss@cnonline.net] Sent: Thursday, October 21, 2004 7:03 AM To: kclug@kclug.org Subject: Re: It was bound to happen - suspected hack

I've been researching sshd and allowing/denying access and I think I have figured it out. Just please confirm that I'm on the right track.

I edited my hosts.allow as follows:

# # hosts.allow This file describes the names of the hosts which are # allowed to use the local INET services, as decided # by the '/usr/sbin/tcpd' server. # sshd: localhost 192.168.0.0/255.255.255.0 12.30.163.*

And then my hosts.deny as follows:

# # hosts.deny This file describes the names of the hosts which are # *not* allowed to use the local INET services, as decided # by the '/usr/sbin/tcpd' server. # # The portmap line is redundant, but it is left to remind you that # the new secure portmap uses hosts.deny and hosts.allow. In particular # you should know that NFS uses portmap! ALL : ALL

However, I don't really have anyway to test this as I allowed access from everywhere that I am. :)

Any suggestions and advice is still greatly appreciated.