[SOLVED] hosts.allow slash notation i.e. X.X.X.X/NN

DeltaXFX · 2009-01-02 00:02:41

I can't get slash notation working in my hosts.allow.
SSH works fine when I have:
sshd: 192.168.1.0/255.255.255.224

But if I try to use slash notation, which the man page says works...
An expression of the form 'n.n.n.n/mm' is interpreted as a
'net/masklength' pair, where 'mm' is the number of consecutive
'1' bits in the netmask applied to the 'n.n.n.n' address.

like: sshd: 192.168.1.0/27

It doesn't work anymore. Am I doing something wrong? Or does slash notation not actually work?

Last edited by DeltaXFX (2009-01-05 04:52:46)

whukes · 2009-01-02 18:44:00

I'm not sure on this but it's how I have mine configured. From what I underatand that notation does not work in hosts.allow. I'm also going to assume that you want every address in 192.168.x.x to be able to access SSH. For that you would add:

sshd: 192.168.0.0/255.255.255.0

The numbers after the / are not the netmask.

tomk · 2009-01-02 20:41:58

What man page are you looking at? man 5 hosts_access does not include n.n.n.n/mm, only n.n.n.n/m.m.m.m .

DeltaXFX · 2009-01-02 21:30:04

Hmm... I did man 5 hosts_access... but it was on an Ubuntu system. The hosts.allow in question is on one of my Arch systems. Now I just looked at the man page on my Arch system and it doesn't have the paragraph I referenced. But I just checked the Ubuntu man page again and it absolutely has it.
That answers the question for why it doesn't work on my Arch system. But why would they be different?

tomk · 2009-01-02 21:50:24

Because Debian/Ubuntu's patching policy is a little different to Arch's - in this particular case, it's this different.

Pudge · 2009-01-02 22:16:37

DeltaXFX,

It's TCP_wrappers that uses the information in /etc/hosts.allow

I have my hosts.allow set to

sshd : 192.168.0. : ALLOW

which allows access for any computer on my local network. Notice the "dot" at the end of the IP address

Lots of times, but not always, the following will fix the problem when TCP_wrappers ignores the hosts.allow file.

Look for this line in /etc/ssh/sshd_config

ListenAddress 192.168.0.XXX

It will usually be ListenAddress 0.0.0.0 by default. Change 0.0.0.0 to the computer's own IP address. Then reboot or run /etc/rc.d/sshd restart
port 22 tells sshd which port to listen on. I'm sure you know to change it to something besides 22 for security reasons. Incoming packets contain which IP address the message is going to. ListenAddress tells sshd to listen on port 22 for messages addressed to this computer.

Don't know why this works, but I found it with a mamma.com search some time ago when I was having similar problems with Arch. I don'tknow if it works for other distros. It may not fix your problem, but hey give it a try.

In case you want to do more research. In the beginning of the article, they talk about using telnet, but it works the same for ssh

I hope that fixes your problem.

Pudge

EDIT: Here is another site which discusses the settings in sshd_config

Last edited by Pudge (2009-01-02 22:31:50)

tomk · 2009-01-02 22:28:56

Pudge, DeltaXFX wants to limit access to a subset of the hosts on the 192.168.1.x subnet, as indicated by the netmask he's using. The trailing-dot pattern that you have suggested is not applicable in this case, as it includes all hosts on the subnet.

Pudge · 2009-01-02 22:38:13

I am aware of what he wants to do. I just chose a really bad example when I listed what I use. I used it because it was convenient. I should have taken the time to give an example closer to what he is trying to do. The TCP_wrappers URL I listed gives examples of what DeltaXFX wants to do. Judging from what I have seen on the Forums, DeltaXFX is a bright young lad. If the ListenAddress setting is the cause of his problems, I'm certain he can figure out the rest.

Pudge

DeltaXFX · 2009-01-02 23:19:57

Thanks everyone. There isn't a problem per say. I can use SSH just fine on my small network (small because of the subnet I'm using) as long as I use list it is hosts.allow like sshd: 192.168.1.0/255.255.255.224
When I looked at the manpage on the Ubuntu machine it said slash notation is possible. So I tried it on my Arch machine but it didn't work. As tomk pointed out, the manpage for hosts_access on Arch does not say anything about slash notation working.
So my system is working just fine, but now I would like to know how, or why, the manpage for Ubuntu would say slash notation works, but the one on Arch doesn't mention it.

tomk · 2009-01-02 23:36:00

Read my second post in this thread (#5) again.

fukawi2 · 2009-01-02 23:36:53

Yay, someone else geeky as me that uses a /27 CIDR on their home network

FTR, I set hosts.allow to allow ALL, then use iptables to restrict to specific ranges using CIDR masks.

DeltaXFX · 2009-01-02 23:37:56

Gotcha! Thanks, didn't see that post for some reason. Need a new monocle I guess.

Arch Linux

#1 2009-01-02 00:02:41

[SOLVED] hosts.allow slash notation i.e. X.X.X.X/NN

#2 2009-01-02 18:44:00

Re: [SOLVED] hosts.allow slash notation i.e. X.X.X.X/NN

#3 2009-01-02 20:41:58

Re: [SOLVED] hosts.allow slash notation i.e. X.X.X.X/NN

#4 2009-01-02 21:30:04

Re: [SOLVED] hosts.allow slash notation i.e. X.X.X.X/NN

#5 2009-01-02 21:50:24

Re: [SOLVED] hosts.allow slash notation i.e. X.X.X.X/NN

#6 2009-01-02 22:16:37

Re: [SOLVED] hosts.allow slash notation i.e. X.X.X.X/NN

#7 2009-01-02 22:28:56

Re: [SOLVED] hosts.allow slash notation i.e. X.X.X.X/NN

#8 2009-01-02 22:38:13

Re: [SOLVED] hosts.allow slash notation i.e. X.X.X.X/NN

#9 2009-01-02 23:19:57

Re: [SOLVED] hosts.allow slash notation i.e. X.X.X.X/NN

#10 2009-01-02 23:36:00

Re: [SOLVED] hosts.allow slash notation i.e. X.X.X.X/NN

#11 2009-01-02 23:36:53

Re: [SOLVED] hosts.allow slash notation i.e. X.X.X.X/NN

#12 2009-01-02 23:37:56

Re: [SOLVED] hosts.allow slash notation i.e. X.X.X.X/NN

Board footer