You are not logged in.
Hi all,
I seem to have an issue ssh'ing to my new arch box, it says I'm not allowed access even when I add my IP address to hosts.allow .
It's not unlike some problems I've read about here as when I put in sshd : ALL I am granted access, this is not the answer though as I want to restrict IP addesses; I have it set up like that on lots of other machines.
My computers firewall isn't blocking it but seeing as I'm on a large network I thought my ssh request might be diverting to a router somewhere, before hitting my computer, anyway to track it?
Last edited by mrjwalsh (2007-02-06 02:39:19)
Offline
Have you tried running traceroute?
Offline
IIRC, there's a default entry in hosts.deny for ALL when you first install arch. You can add a line for ssh in your hosts.allow, or you can add a line for the ip range you want allowed to access services.
Unthinking respect for authority is the greatest enemy of truth.
-Albert Einstein
Offline
(alternative)
Here is how I do mine. I set "sshd: ALL: ALLOW" in /etc/hosts.allow and use "AllowGroups ssh" in /etc/ssh/sshd_config. I only added the $USER I wants to allow ssh access in group ssh.
Offline
hey guys,
thanks for the replies, it does work with the sshd : ALL bit but what are the security risks with this? ive set norootlogin in ssh, set up my iptables and i can create a group that is allowed to login; so does sshd : ALL still make me more vunerable to attacks (or attempts?)
Offline
so does sshd : ALL still make me more vunerable to attacks (or attempts?)
Well... yes, slightly. Even if you only allow one IP to connect, I can still do a port scan and see an SSH server running on your machine. However, if I'm looking to break into someone's machine, i'm looking for telnet, ftp, www, and NETBIOS ports that are open, not SSH. Know what I'm sayin
"Oh, they have the internet on computers now."
Offline
I misread your question at first - sorry about that. Please post the exact entry you are using in your hosts.allow file - you can obscure the IP if you need to. I imagine your issue is syntax at this point since ALL works - that's pretty strong evidence you don't have an access-list or firewall rule blocking access to that box. Other thoughts:
Are you sshing from another linux machine? If so, you can use the -v (or even -vv) switch to get a better idea of what's failing. What do you see in your logs when you try to connect? Try running
tail -f /var/log/auth.log
while you try an ssh to that box with the rule in place. What is kicked out?
Unthinking respect for authority is the greatest enemy of truth.
-Albert Einstein
Offline
Alrighty Snarkout, I did what you said and within verbose mode i got an output along the lines of this:
Connecting to xxx.xxx.xx.xxx [xxx.xxx.xx.xxx] port 22222
Connection establised
ssh_exchange_identification : Connection closed by remote host
And when i do that tail command on the server I get:
sshd : refused connect from 0.0.0.0
My IP is not 0.0.0.0 so I don't know if thats where I've stuffed up.
Offline
Is there a reason you're connecting to port 22222? Are you running a firewall on the server? Are you using keys rather than password? It really looks like you're doing a lot more than running sshd on the standard port from what you've posted there. It'd be helpful if you'd post the entire output of an ssh-vv [server] - obfuscating the IPs is fine.
Unthinking respect for authority is the greatest enemy of truth.
-Albert Einstein
Offline
Hi Snarkout, thanks for replies; it was my supid fault as every Linux problem always is, the 'refused connect from 0.0.0.0' was the key, the default listen address was set to 0.0.0.0 so I put the machines IP address in instead and now I can get ssh direct connections.
Offline