[solved]sshd not using libwrap

mouseman · 2017-08-01 11:13:41

tl;dr: libwrap support has been dropped from sshd.
-----------
So I've been trying to get sshd to use /etc/hosts.deny but I can't get it to work. As far as I'm aware there are 3 requirements: sshd needs to be compiled with tcp_wrapper support, a valid /etc/hosts.deny needs to exist, sshd needs to be configured to listen on an IP address and not 0.0.0.0.

I can check off the hosts.deny and sshd config, but when I run:

# ldd /usr/sbin/sshd | grep libwrap

I get no return; I have installed libwrap and lib32-libwrap, restarted sshd to be sure but it's still not working.

Am I correct in now concluding that sshd is not compiled with tcp wrapper support? Because I thought that was default (thought I read that somewhere).

Any ideas?

Thanks!

Last edited by mouseman (2017-08-01 11:43:11)

WorMzy · 2017-08-01 11:28:05

libwrap support was dropped from openssh a while ago: http://marc.info/?l=openssh-unix-dev&m= … 608284&w=2

if you want to secure your server I suggest you look at https://wiki.archlinux.org/index.php/Security#SSH

mouseman · 2017-08-01 11:42:26

Thanks for the info. With all the searching I've done it's crazy I haven't run into that myself. Been at it for a few days already.

I've gone through the wiki list already and I have a pretty secure setup already using only ssh keys, 2FA using Google Authenticator and root disallowed. My logs are getting flooded however with brute force attempts so I wanted to use denyhosts script to fill up /etc/hosts.deny.

Instead, I'll look into iptables and auto banning using that. Maybe fail2ban ...

Thanks!

Arch Linux

#1 2017-08-01 11:13:41

[solved]sshd not using libwrap

#2 2017-08-01 11:28:05

Re: [solved]sshd not using libwrap

#3 2017-08-01 11:42:26

Re: [solved]sshd not using libwrap

Board footer