Puppy Linux Discussion Forum

Is the DenyHosts library supported in FatDog?

https://en.m.wikipedia.org/wiki/DenyHosts

For instance:

/etc/hosts.deny
ALL:ALL

/etc/hosts.allow
sshd: ALL : DENY

Would there be any technical reason that DenyHosts or an alternative library like Fail2Ban would have to be used exclusively on a server rather than a desktop client (i.e. not a web application)?

https://en.m.wikipedia.org/wiki/Fail2ban

Or what would be the right approach to protect a system against unwanted SSH connections?

Do you want to block ALL ssh connections or just "unwanted" ssh connections?
I use fail2ban on my puppy media/web server and it seems to do well.

You would not need it on a desktop client if you're not running an ssh server.

Neo_78 wrote: ↑Thu Sep 22, 2022 11:13 pm

Is the DenyHosts library supported in FatDog?

https://en.m.wikipedia.org/wiki/DenyHosts

there is no denyhost in the package repo.

For instance:

Code: Select all

/etc/hosts.deny
ALL:ALL

Code: Select all

/etc/hosts.allow
sshd: ALL : DENY

These look like specialized hosts configuration files, for which support is built into Fatdog. Man page https://www.mankier.com/5/hosts_access

Would there be any technical reason that DenyHosts or an alternative library like Fail2Ban would have to be used exclusively on a server rather than a desktop client (i.e. not a web application)?

https://en.m.wikipedia.org/wiki/Fail2ban

I don't understand your question. Anyway, the general picture is, you start the ssh server software on the system that some other PC (the client) needs to access. Then the client PC runs the ssh client software to access said ssh server.
Access requires a password, as a minimum. You can also set up encrypted certificates in lieu of passwords.
To start the ssh server use the Services control panel applet. To start the ssh client software run ssh in a terminal.
If you want to limit access to the ssh server to only some ssh clients you could use the built-in eztables firewall https://distro.ibiblio.org/fatdog/web/f ... ewall.html. The hosts.deny file you brought up is also an option, if you want to experiment.

@Trapster the idea is to block / prevent ALL incoming and outgoing ssh connections for this system.

@step is there a way to completely disable the ssh service / daemon at boot time that it even cannot be started later?

What's the correct rule to block all ssh connections for any network interfaces in eztables? Something like:

deny_in any any any 22/tcp
deny_out any any any 22/tcp

?

I sometimes think it would be easier to directly learn iptables...

Open the control panel > System > Manage Servers and Services. You can disable it there (if it is even running - not sure if it is on by default).

Thanks @Keef . Not sure how the ssh module is called exactly, but is it possible to disable it / prohibit loading completely with /etc/modprobe.d/blacklist-ssh.conf, for instance blacklist sshd?

You could find out which binary is executed when the demon starts, and make it non-executable. No way sshd could be started accidentally then.

You mean chmod 000 filename or chmod -x filename (without changing other permissions) @chiron?

Does FatDog support chattr?

Yes, exactly what I meant. When typing chattr --help in terminal, it gives a short usage summary, so FD should support using it.

Thanks @chiron. What would be the best way to detect the executed binary? Something like ps aux | grep sshd?

What would be the best way to detect the executed binary? Something like ps aux | grep sshd?

Even simpler: pidof sshd

Greetings!

iptables -I INPUT -p tcp --dport 22 -j DROP