Does dropbear take care of hosts.allow and hosts.deny?

Question

I'm running dropbear as SSH daemon on Debian (actually Raspbian). I tried setting

# /etc/hosts.allow
dropbear:192.168.1.1
# my static ip from which I SSH connect to the device

and

# /etc/hosts.deny
ALL:ALL
# block all others

Then I restarted the whole device. I could still SSH into the device from different IP addresses and even from remote. Did I configure the files wrong or does dropbear not support these two files?

score 1 · Accepted Answer · answered May 13 '14 at 00:52

Dropbear doesn't include any support for /etc/hosts.allow and /etc/hosts.deny. These files are managed by the TCP wrapper library (libwrap), which Dropbear doesn't use. Some third-party packages patch Dropbear for TCP wrapper support, but not Debian.

You can start Dropbear via tcpd to get TCP wrapper support.

/usr/sbin/tcpd /usr/sbin/dropbear -i

If you only want to filter by IP address, you can do it with iptables.

iptables -A INPUT -p tcp ! --dport 22 -j DROP

score 0 · Answer 2 · edited May 13 '14 at 00:52

0

Try:

# /etc/hosts.deny
sshd:ALL:spawn /bin/echo  the ip %h tried to access `/bin/date`>> /var/log/ssh.log

and

# /etc/hosts.allow
sshd:192.168.1.1

if does not work try again with dropbear this way.

# /etc/hosts.deny
dropear:ALL:spawn /bin/echo  the ip %h tried to access `/bin/date`>> /var/log/ssh.log

and

# /etc/hosts.allow
dropbear:192.168.1.1

and check if dropbear have support for tcp/wrappers.

ldd /path/to/dropbear

look for libwrap.so.0 → /lib/libwrap.so.0

edited May 13 '14 at 00:52

Gilles 'SO- stop being evil'

807,993
194
1,674
2,175

answered May 12 '14 at 19:35

Renan Vicente

529
3
8

Dropbear doesn't come with support TCP wrappers, and Debian doesn't add it either. – Gilles 'SO- stop being evil' May 13 '14 at 00:53

Does dropbear take care of hosts.allow and hosts.deny?

2 Answers2