4

I configured the /etc/hosts.allow at the machine 192.168.122.50 with the following option.

sshd : ALL EXCEPT 192.168.122.1

and tried ssh [email protected] from the machine 192.168.122.1 and I was able to connect to the machine 192.168.122.50 as root.

Then I added the the following rule to the /etc/hosts.deny file at 192.168.122.50

sshd : 192.168.122.1

Again, I tried ssh [email protected] from the machine 192.168.122.1. But this time I was not able to connect and I got the error

ssh_exchange_identification: Connection closed by remote host

This made me doubt the actual behaviour of the EXCEPT directive in /etc/hosts.allow and /etc/hosts.deny. Below is what I understand from this.

If we put the EXCEPT directive in hosts.allow, it only means that we are not allowing the particular host/network that comes after it but a connection is still possible until we explicitly mention that particular host/network in /etc/hosts.deny. To put it simply not allowing does not mean denying

If we put the EXCEPT directive in hosts.deny, it means that we are indirectly allowing the particular host/network to make a connection. To put it simply not denying means allowing

Am I right in my judgement?

Note 1: ssh daemon is restarted whenever I make a change in /etc/hosts.allow and /etc/hosts.deny even though it is not necessary.

Note 2: I understand that allow has more priority than deny.

Mat
  • 51,578
  • 10
  • 158
  • 140
sjsam
  • 1,576
  • 2
  • 13
  • 22

2 Answers2

4

You are perhaps assuming there is an implicit "default deny": there is not.

ALL EXCEPT 192.168.122.1 simply does not apply to host 192.168.122.1, so subsequent entries are checked.

Assuming you do not have an ancient tcpwrappers (i.e. it supports and was built with -DHOSTS_ACCESS) you should really only use hosts.allow:

sshd: 192.168.122.1 : DENY
sshd: ALL : ALLOW

(Note that default allow is bad practise of course)

mr.spuratic
  • 9,721
  • 26
  • 41
  • Thank you. If `simply does not apply` is what happens to stuff after the **except** directive, then perhaps I was assuming an implicit "default deny". Also the following clause from `man 5 hosts_access` re-iterates your answer. `EXCEPT Intended use is of the form: ‘list_1 EXCEPT list_2´; this construct matches anything that matches list_1 unless it matches list_2.` – sjsam Sep 24 '13 at 18:48
0

The problem is that tcp_wrappers can't deny specific hosts, only by using EXCEPT directive (I suggest). So for me I found only 1 working solution by using allow ALL in hosts.allow EXCEPT the specific host and deny ALL in hosts.deny:

# hosts.allow
sshd : ALL EXCEPT 11.22.33.44

# hosts.deny
sshd : ALL : DENY

I know it's kind of wierd, but it works.

Solution like 

sshd: 192.168.122.1 : DENY
sshd: ALL : ALLOW

is NOT working for me.

Oleksandr Bohovyk
  • 1