Ssh – /etc/hosts.deny doesn’t take effect everytime

ssh

First of all, my sshd has got libwrap.so in it, here is the checking result:

root@FS9000:~# ldd sshd | grep libwrap
libwrap.so.0 => /usr/lib/libwrap.so.0 (0x000000555e3fa000)

  1. When I configured /etc/hosts.deny like this (there's no /etc/hosts.allow):

    sshd: ALL

    Then any IP will be blocked when try to access the server, it took effect obviously.

  2. When I configured /etc/hosts.deny like this:

    sshd: 192.168.1.30

    I tried to access the server from 192.168.1.30, and login succeeded without any block!

It seems that it cannot block the specified IP, which is very strange.
What could the problem be?

PS:
I tried it in embedded system, using busybox(v1.22.1), sshd is from openssh-6.3p1.

  1. All the test is base in the local network, here is the details for the connections by sshd. 192.168.1.30 is one linux client, 192.168.1.212 is the embedded system.

    root@FS9000:~# cat /etc/hosts.deny
    ALL: 192.168.1.30

    root@FS9000:~# env | grep SSH
    SSH_CLIENT=192.168.1.30 36425 22
    SSH_TTY=/dev/pts/0
    SSH_CONNECTION=192.168.1.30 36425 192.168.1.212 22

    root@FS9000:~# netstat -antp
    Active Internet connections (servers and established)
    Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
    tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1726/portmap
    tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 1770/vsftpd
    tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 2359/sshd
    tcp 0 0 192.168.1.212:22 192.168.1.30:36425 ESTABLISHED 3256/0
    tcp 0 0 :::22 :::* LISTEN 2359/sshd
    tcp 0 0 :::23 :::* LISTEN 2148/telnetd

4.When configure /etc/hosts.deny like this:

root@FS9000:~# cat /etc/hosts.deny
ALL:  ALL :\
       spawn (/bin/echo "%d connection to %N from %n[%a] denied" > /dev/pts/1)

pts/1 is one telnetd connection,telnetd doesn't support libwrap,so all telnetd connections won't be blocked. Then I tried access 1.212 from 1.30, it prints this(and of course it blocked successfully):

sshd connection to unknown from unknown[0.0.0.0] denied

When configure /etc/hosts.deny like this:

sshd: 192.168.0.0/24 127.0.0.1  [ffe0::]/10 [::1]

It still cannot block any IP in 192.168.0.0/24, 192.168.1.30 can also access it.

Best Answer

Perhaps you're not connecting to the sshd using the IP address 192.168.1.30.

You can make (some) ssh programs use a specific interface using -b

-b bind_address Use bind_address on the local machine as the source address of the connection. Only useful on systems with more than one address.

So try 

ssh -b 192.168.1.30 user@remote.tld
Related Topic