openSUSE 13.2, sshd bypass hosts.allow file

Dear all, my SSHD bypass the ip address checking file in /etc/hosts.allow. Which means it will accept any ip address that ssh in.

My server:
NAME=openSUSE
VERSION=“13.2 (Harlequin)”
VERSION_ID=“13.2”
PRETTY_NAME=“openSUSE 13.2 (Harlequin) (x86_64)”
ID=opensuse
ANSI_COLOR=“0;32”
CPE_NAME=“cpe:/o:opensuse:opensuse:13.2”
BUG_REPORT_URL=“https://bugs.opensuse.org
HOME_URL=“https://opensuse.org/
ID_LIKE=“suse”

My /etc/hosts.allow file:
sshd : 103.10.10.11 : ALLOW
sshd : ALL : DENY

My /etc/hosts.deny file:
ALL: ALL: DENY

If anybody have these kind of issue? My previous version opensuse 11.x don’t have this problem.

Thanks,

hosts.allow has been deprecated and is no longer used.

You should use your firewall to block incoming ssh connections, you can use the SUSE Firewall to create a custom rule to allow only certain IP ranges / IP addresses to connect and drop the rest.

Thanks Miuku for your clarification.

Can anyone have some guide for the procedure on SUSE Firewall to create a custom rule to allow only certain IP ranges / IP addresses to connect and drop the rest? or any blog instruction?

Do you use the ncurses (text) interface or the graphical one?

It’s a very simple procedure but you must be careful not to lock yourself out if the server is in a remote location and you have no physical access or a virtual cloud access to it.

In essence as root or with sudo run;
yast firewall
Navigate to Custom Rules
Choose Firewall External Zone
Add
Source Network; IP ranges you wish to allow access to the service, such as; 192.168.1.0/24
Protocol; TCP or UDP, in the case of SSH tcp
Destination Port: 22

The rest you can leave untouched. Then navigate to Add, repeat the thing for any IP ranges or services you wish to expose.

Then make sure Firewall Configuration: Start-Up is set to “Enable Firewall Automatic Starting” and double check that the services and ranges are correct, then “Save Settings and Restart Firewall Now”.

Remember that if you offer other services on the box, you should open the firewall ports for those as well. The Firewall comes with a handy “Allowed Services” for services that you wish to expose to everyone, maybe http or smtp etc. depending on your needs.

On 2015-07-20 12:16, iguana wrote:
>
> Can anyone have some guide for the procedure on SUSE Firewall to create
> a custom rule to allow only certain IP ranges / IP addresses to connect
> and drop the rest? or any blog instruction?

With “FW_SERVICES_ACCEPT_EXT”. The comments in the firewall
configuration file explain how to use it. You write there the IPs or
ranges to accept, any other is rejected.


Cheers / Saludos,

Carlos E. R.

(from 13.1 x86_64 “Bottle” (Minas Tirith))