I modify my /etc/hosts.allow
file as
sshd : 192.168.0.0/255.255.255.0 : allow
sshd : xxx.xxx.xxx.* : allow
sshd : ALL : deny
(where the xxx represent my actual IP address numbers and the wildcard * represents the full range 0-255) then restart sshd and Apache web server. I watch over the following week as IP addresses from foreign countries continue to appear in /etc/csf/csf.deny
.
116.31.116.15 # lfd: (sshd) Failed SSH login from 116.31.116.15 (CN/China/-): 5 in the last 300 secs ...
Is my expectation correct that denied IP addresses in the hosts.allow
file should not even be presented with a login screen to attempt to login, and thus the entries in the csf.deny log prove my hosts.allow file isn't doing what I want?
Or, am I being misled by the generic error message (5 in the last 300 secs
) because in reality those IP addresses have not actually attempted to enter a user and password 5 times?
My goal is prevent non-approved IP addresses from being able to even enter a username and password. How can I tell that I'm achieving this or not?
What should I expect the csf.deny file to show when their IP is in fact denied?