You are not logged in.
Hey all!
I've tried to secure my sshd by running denyhosts (http://www.archlinux.org/packages/search/?q=denyhosts).
denyhosts works perfectly and adds alot of adresses to /etc/hosts.deny
But my system ignores /etc/hosts.deny: I still got my sshd-logs full of connections from the same IP.
Don't worry, I've tried it with my PC: same result.
I've added my IP by hand: same result.
Why is my /etc/hosts.deny ignored? What can I do?
Regards,
Moritz
Offline
It may be that you have "sshd:ALL" or whatelse in hosts.allow. As far as I know, hosts.allow takes precedence over hosts.deny.
Offline
no, my hosts.allow is empty...
Offline
Is your SSH server compiled with tcp-wrappers support ?
Can you post a part of your logs ?
Offline
i.e.
Sep 1 20:38:10 linux sshd[9343]: Invalid user brand from 219.254.35.183
Sep 1 20:38:13 linux sshd[9345]: Invalid user client from 219.254.35.183
Sep 1 20:38:16 linux sshd[9347]: Invalid user corp from 219.254.35.183
Sep 1 20:38:19 linux sshd[9349]: Invalid user content from 219.254.35.183
Sep 1 20:38:21 linux sshd[9351]: Invalid user contact from 219.254.35.183
Sep 1 20:38:24 linux sshd[9353]: Invalid user coach from 219.254.35.183
Sep 1 20:38:27 linux sshd[9355]: Invalid user career from 219.254.35.183
Sep 1 20:38:30 linux sshd[9357]: Invalid user chat from 219.254.35.183
Sep 1 20:38:33 linux sshd[9359]: Invalid user dibalo from 219.254.35.183
Sep 1 20:38:36 linux sshd[9361]: Invalid user download from 219.254.35.183
Sep 1 20:38:39 linux sshd[9363]: Invalid user complainst from 219.254.35.183
Sep 1 20:38:42 linux sshd[9365]: Invalid user sales from 219.254.35.183
Sep 1 20:38:45 linux sshd[9367]: Invalid user email from 219.254.35.183
Sep 1 20:38:48 linux sshd[9369]: Invalid user emails from 219.254.35.183
but
# grep 219.254.35.183 hosts.deny
# DenyHosts: Fri Jun 30 11:46:20 2006 | ALL: 219.254.35.183
ALL: 219.254.35.183
Offline
no ideas?
Could anybody test his /etc/hosts.deny for me please?
Offline
I have a similar thing happening -- both my hosts.allow and hosts.deny files appear to be completely ignored by everything (right now only Samba and SSHD). Is this a recent bug introduced by an upgrade or something? It used to work... (There's probably just some really obvious piece of config that I'm missing here.)
~Felix.
Offline
Follow-up:
tcp_wrappers is apparently broken now. A few Arch versions ago, the syntax for a deny-all line was:
#service : host : action
ALL : ALL : DENY
So you could put allow/deny entries in both files and there was really no point to having two of them...
Then it became:
#service : host (action was implicit from being in either allow or deny file)
ALL : ALL
And now, sshd follows the old syntax again; an ALL : ALL : DENY line works to block connections to SSHD, which then logs:
Sep 13 15:13:10 lira sshd[20436]: refused connect from 192.168.2.102
When it hits the rule.
However, Samba is still messed up (it ignores both syntaxes and allows connections from everywhere).
Looking forward to a fix for this (and maybe using a firewall instead),
~Felix.[/b]
Offline
bump...
is tcp_wrappers still broken? this ass is hacking my server and hosts.allow and hosts.deny aren't doing anything. i had to put him in my iptables.
Offline
bump...
is tcp_wrappers still broken? this ass is hacking my server and hosts.allow and hosts.deny aren't doing anything. i had to put him in my iptables.
has he got access? if he has, consider your server compromised.
tcp_wrappers should be fine. And if it isnt, it might be nice to file a bug so that the developers know.
afaik, samba doesnt even use tcp_wrappers -- though that's beside the point, you should have it firewalled off from the internet anyway.
James
Offline
Just a recommendation, use sshdfilter (http://www.csc.liv.ac.uk/~greg/sshdfilter/). It blocks attackers in IPTables instead of hosts.deny. It works quite well and is quite easy to set up. Never had a problem with it.
Offline