Most modern distributions should come with TCP Wrappers installed and ready to go. Is your server daemon linked to TCP Wrappers? Check:
$ ldd /usr/sbin/sshd | grep libwrap libwrap.so.0 => /lib64/libwrap.so.0 (0x00002b2f57e20000)
Also have a look here:
TCP Wrappers uses the files
to control what connections can be made to wrapped servers.
|No daemons need to be restarted because changes to
If these files don’t exist, TCP Wrappers is not being used. Create them as root.
There can only be one rule per network service in
hosts.deny. In the case of conflicting rules in
hosts.deny the allow rule takes precedent. If there are no matching
rules in the
hosts.deny files, then the connection
is unrestricted (as if TCP Wappers wasn’t installed).
The rules take this form:
ALLis a special daemon specifier that applies to any service.
sshdProbably the most important one.
specific.example.comwill match just this host. Separate multiples with spaces or commas.
.example.com(note leading dot) will match all hosts ending in
.xed.ch EXCEPT test.xed.chmatches anything from
xed.chwith the exception of
/etc/troublemakersmatches anything in this file. It’s interpreted as a file if it has a leading
ALLis a special client designation that means match all hosts.
LOCALmatches any host that contains no dot (e.g. localhost).
UNKNOWNmatches any user that is unknown. Also matches unknown hosts and unknown addresses. This could be useful if you definitely do not want to entertain attempts from users that do not exist in your passwd file or hosts that are not explicitly listed in your
KNOWNis the inverse of
PARANOIDmatches host names that don’t match the address.
deny) makes it possible to keep all rules in a single file.
sshd : hmm.xed.ch :spawn ( /bin/echo `date` "%h tried to use %d" >> login.log ) &
:twistreplaces the actual request with one set by the server admin. Handy for honeypots and menacing rejection messages.
sshd : bad.xed.ch : twist /bin/echo "Go away!" : deny
:keepaliveServer occasionally pings client until client stops responding.
:niceChange the niceness level for this process.
:setenv VAR VALUEModify the process environment.
:user nobodyMakes the UID kind of safe.
SSH Login Control
TCP Wrappers is often used to cut down the clutter of brute force ssh login attempts. Note that DenyHosts uses TCP Wrappers. If there’s a real problem with ssh attacks, might think about that. Or fail2ban which can use iptables too.
Very Simple Example
Coop’s minimal configuration suggestion.
echo "sshd : ALL" >> /etc/hosts.deny echo "sshd : .xed.ch" >> /etc/hosts.allow
Another Very Simple Example
Here’s an even simpler way to block ssh access from every host but the
special privileged one. Note that it only uses
hosts.allow does not need to exist for this to work.
echo "sshd : ALL EXCEPT admin.xed.ch planb.xed.ch" >> /etc/hosts.deny