[FreeBSD] DenyHosts 設定在 hosts.allow 注意事項

denyhosts DenyHosts 是一套用 Python 跟 shell script 寫出來的 open source base on Linux or FreeBSD (/var/log/secure on Redhat, /var/log/auth.log on Mandrake, FreeBSD, etc…),用來阻擋 SSH Server 被攻擊,之前寫一篇 FreeBSD 安裝設定教學,有一點沒有注意到,就是打開 /etc/hosts.allow,注意要把 ALL : ALL : allow 放到最後一行,跟 iptables 設定原理是一樣的,會從第一條規則開始比對,如果比對成功,下面的 rule 就會略過比對了,參考英文說明:

Start by allowing everything (this prevents the rest of the file from working, so remove it when you need protection). The rules here work on a “First match wins” basis. /etc/hosts.deny 已經被 FreeBSD 棄用,所以必須把 allow 跟 deny 的 rule 都寫到 hosts.allow 檔案裡面才是正確的

#
# DenyHosts file: /etc/hosts.deniedssh
sshd : /etc/hosts.deniedssh : deny
sshd : ALL : allow

# Start by allowing everything (this prevents the rest of the file
# from working, so remove it when you need protection).
# The rules here work on a "First match wins" basis.
# move bottom by appleboy 2010.03.11
ALL : ALL : allow

See also