View previous topic :: View next topic |
Author |
Message |
binro l33t
Joined: 06 May 2005 Posts: 724 Location: Bangkok, Thailand
|
Posted: Mon Mar 24, 2008 1:01 pm Post subject: /etc/hosts.deny ignored?! |
|
|
I have recently been tuning DenyHosts to better block dictionary attacks against sshd and proftpd. My rules are now good but the attacks continue (this in itself is not a worry since I only allow logon via RSA public keys). The attacking IP address is added to /etc/hosts.deny but seems to be ignored.
I have checked that: xinetd is running and was compiled with the tcpd flag; there are no bad rules in hosts.allow.
Any ideas welcome, I am a bit stumped. _________________ "Ship me somewheres east of Suez, where the best is like the worst,
Where there ain't no Ten Commandments an' a man can raise a thirst"
from "Mandalay" by Rudyard Kipling |
|
Back to top |
|
|
alex.blackbit Advocate
Joined: 26 Jul 2005 Posts: 2397
|
Posted: Mon Mar 24, 2008 5:09 pm Post subject: |
|
|
i don't understand why you need xinetd. neither sshd nor proftpd need it, right? |
|
Back to top |
|
|
binro l33t
Joined: 06 May 2005 Posts: 724 Location: Bangkok, Thailand
|
Posted: Mon Mar 24, 2008 6:32 pm Post subject: |
|
|
alex.blackbit wrote: | i don't understand why you need xinetd. neither sshd nor proftpd need it, right? |
Not exactly, proftpd can be configured to use xinetd and I also use it for qpopper. What's more, I remember locking myself out on my last overseas trip, so this used to work. _________________ "Ship me somewheres east of Suez, where the best is like the worst,
Where there ain't no Ten Commandments an' a man can raise a thirst"
from "Mandalay" by Rudyard Kipling |
|
Back to top |
|
|
jcat Veteran
Joined: 26 May 2006 Posts: 1337
|
Posted: Mon Mar 24, 2008 9:01 pm Post subject: |
|
|
Does you /etc/hosts.deny work at all?
Try some simple tests, back up your current allow and deny files reconfigure as needed for some simple tests.
If the files are definitely working ok, then you can only presume that it's your rules that aren't correct (in one file or the other or both).
If you can't work it out feel free to post the contents of both files.
Cheers,
jcat |
|
Back to top |
|
|
binro l33t
Joined: 06 May 2005 Posts: 724 Location: Bangkok, Thailand
|
Posted: Tue Mar 25, 2008 11:35 am Post subject: |
|
|
Here is my hosts.allow with the local address range (192.168) not allowed by default.
ALL: LOCAL
sendmail: ALL
# ALL: 192.168.
popper: ALL
spamd: 127.0.0.1
ldapd: ALL
slapd: ALL
cupsd: ALL
Here is a segment of hosts.deny where I have deliberately got myself blacklisted:
# DenyHosts: Tue Mar 25 18:24:09 2008 | ALL: 192.168.1.57
ALL: 192.168.1.57
Yet I can still logon if I use a valid userid/password. I should not even get a connection. _________________ "Ship me somewheres east of Suez, where the best is like the worst,
Where there ain't no Ten Commandments an' a man can raise a thirst"
from "Mandalay" by Rudyard Kipling |
|
Back to top |
|
|
jcat Veteran
Joined: 26 May 2006 Posts: 1337
|
Posted: Tue Mar 25, 2008 8:08 pm Post subject: |
|
|
First of all, your
spamd: 127.0.0.1
is irrelevant, because you have
ALL: LOCAL
already allowing anything from local to anything (using tcpd wrappers anyway).
How are you testing the rule? Logging in locally using ssh?
Have you tried
and
Cheers,
jcat |
|
Back to top |
|
|
Cyker Veteran
Joined: 15 Jun 2006 Posts: 1746
|
Posted: Tue Mar 25, 2008 10:57 pm Post subject: |
|
|
Stupid question: You have compiled tcpwrappers support into xinetd, openssh and proftpd? |
|
Back to top |
|
|
binro l33t
Joined: 06 May 2005 Posts: 724 Location: Bangkok, Thailand
|
Posted: Wed Mar 26, 2008 3:48 pm Post subject: |
|
|
jcat wrote: |
How are you testing the rule? Logging in locally using ssh?
Have you tried
and
|
No, I ssh from 192.168.1.57 to 192.168.1.2, which is my main server. 192.168.1.57 should be blocked but isn't. _________________ "Ship me somewheres east of Suez, where the best is like the worst,
Where there ain't no Ten Commandments an' a man can raise a thirst"
from "Mandalay" by Rudyard Kipling |
|
Back to top |
|
|
binro l33t
Joined: 06 May 2005 Posts: 724 Location: Bangkok, Thailand
|
Posted: Wed Mar 26, 2008 3:49 pm Post subject: |
|
|
Cyker wrote: | Stupid question: You have compiled tcpwrappers support into xinetd, openssh and proftpd? |
Yes, tcpd is in the global use flags. _________________ "Ship me somewheres east of Suez, where the best is like the worst,
Where there ain't no Ten Commandments an' a man can raise a thirst"
from "Mandalay" by Rudyard Kipling |
|
Back to top |
|
|
binro l33t
Joined: 06 May 2005 Posts: 724 Location: Bangkok, Thailand
|
Posted: Wed Mar 26, 2008 7:29 pm Post subject: |
|
|
More info: proftpd is reading hosts.deny, connections do get blocked. However, connects to sshd from the same address are permitted, unless I put at the top of hosts.deny. Then the connection is refused. Which makes me thing that this is an SSH problem, so I installed the latest version from the test branch but there was no change. My sshd_config options are default, except for disallowing clear text passwords. All very strange. _________________ "Ship me somewheres east of Suez, where the best is like the worst,
Where there ain't no Ten Commandments an' a man can raise a thirst"
from "Mandalay" by Rudyard Kipling |
|
Back to top |
|
|
jcat Veteran
Joined: 26 May 2006 Posts: 1337
|
Posted: Wed Mar 26, 2008 7:49 pm Post subject: |
|
|
Hi,
While it's strange that your hosts.deny rule ALL: 192.168.1.57 is not effective, it is best practice to deny everything with ALL: ALL and then specifically allow exceptions on hosts.allow.
What happens if you deny everything then add to hosts.allow, and then deny specific IP addresses?
Cheers,
jcat |
|
Back to top |
|
|
binro l33t
Joined: 06 May 2005 Posts: 724 Location: Bangkok, Thailand
|
Posted: Wed Mar 26, 2008 10:06 pm Post subject: |
|
|
jcat wrote: | While it's strange that your hosts.deny rule ALL: 192.168.1.57 is not effective, it is best practice to deny everything with ALL: ALL and then specifically allow exceptions on hosts.allow.
|
I travel a lot and want to be able to ssh into my server from wherever I am.
jcat wrote: | What happens if you deny everything then add
Code:
sshd: ALL
to hosts.allow, and then deny specific IP addresses?
|
No change, the connection is still made. _________________ "Ship me somewheres east of Suez, where the best is like the worst,
Where there ain't no Ten Commandments an' a man can raise a thirst"
from "Mandalay" by Rudyard Kipling |
|
Back to top |
|
|
jcat Veteran
Joined: 26 May 2006 Posts: 1337
|
Posted: Thu Mar 27, 2008 5:22 am Post subject: |
|
|
binro wrote: | jcat wrote: | While it's strange that your hosts.deny rule ALL: 192.168.1.57 is not effective, it is best practice to deny everything with ALL: ALL and then specifically allow exceptions on hosts.allow.
|
I travel a lot and want to be able to ssh into my server from wherever I am.
|
Which is why I then said to then allow all to sshd
I'm running out of ideas. Not sure if this will help, but I presume both files are world readable?
Incidentally, if you really can't find the problem here, you can always resort to using IPTables to block the traffic before it's even processed, or use some null routes or something instead.
Cheers,
jcat |
|
Back to top |
|
|
RiverRat n00b
Joined: 07 Oct 2004 Posts: 65 Location: Colorado
|
Posted: Wed May 21, 2008 1:26 am Post subject: Re: /etc/hosts.deny ignored?! |
|
|
binro wrote: | I have recently been tuning DenyHosts to better block dictionary attacks against sshd and proftpd. My rules are now good but the attacks continue (this in itself is not a worry since I only allow logon via RSA public keys). The attacking IP address is added to /etc/hosts.deny but seems to be ignored.
I have checked that: xinetd is running and was compiled with the tcpd flag; there are no bad rules in hosts.allow.
Any ideas welcome, I am a bit stumped. |
I'm having the same issue. I have a workaround at the moment but I'd like this resolved. I am not running xinted nor any ftp server and I can confirm that I have the USE="tcpd" flag for openssh and tcp-wrappers installed. My /etc/hosts.deny file is also seemingly ignored but
denyhosts is working as the entries are appearing in /etc/hosts.deny. I have opened a bug report here:
https://bugs.gentoo.org/show_bug.cgi?id=222777
Any ideas would be greatly appreciated. _________________ RiverRat |
|
Back to top |
|
|
RiverRat n00b
Joined: 07 Oct 2004 Posts: 65 Location: Colorado
|
|
Back to top |
|
|
binro l33t
Joined: 06 May 2005 Posts: 724 Location: Bangkok, Thailand
|
Posted: Wed May 21, 2008 10:39 am Post subject: |
|
|
I do not have a ListenAddress in my ssh config. However, I somehow solved the problem by updating to the latest ssh in the test branch. Possibly the update fixed a config file somewhere. _________________ "Ship me somewheres east of Suez, where the best is like the worst,
Where there ain't no Ten Commandments an' a man can raise a thirst"
from "Mandalay" by Rudyard Kipling |
|
Back to top |
|
|
depontius Advocate
Joined: 05 May 2004 Posts: 3509
|
Posted: Wed May 21, 2008 12:48 pm Post subject: |
|
|
Just another note...
There is a directive in /etc/ssh/sshd_config called "AllowGroups". I have added a group put users I want to be able to allow to ssh into the box in that group, then use that group with the preceding directive. This gives another layer of security to OpenSSH, especially with all of the current brute-force attacks going on. They can try and brute-force any account under the sun, but they've got try to brute-force the right account to even start to get anywhere. You probably also want to "PermitRootLogin no" in that same file. I simply don't understand why Gentoo has this default to "yes". Every etc-update I have to go back and change it.
Another thought...
Are you connecting from random systems, or from your personal laptop? I have things set in multiple layers to only allow incoming ssh from my employer's IP range. But I also have OpenVPN, and allow incoming connections from anywhere, since it has certificate-based connections that aren't open to simple brute-force attack. When I want to ssh in while traveling, I open the OpenVPN tunnel, then ssh through that, not for double-encryption, but because I feel that OpenVPN is safer to expose to general connections. _________________ .sigs waste space and bandwidth |
|
Back to top |
|
|
binro l33t
Joined: 06 May 2005 Posts: 724 Location: Bangkok, Thailand
|
Posted: Wed May 21, 2008 12:58 pm Post subject: |
|
|
I connect from many places (including my phone - my SE P1i runs PuTTY! ) and I even allow root logins. However I have:
Code: | ChallengeResponseAuthentication no
|
in my sshd_config and carry my RSA keys around on a USB stick. _________________ "Ship me somewheres east of Suez, where the best is like the worst,
Where there ain't no Ten Commandments an' a man can raise a thirst"
from "Mandalay" by Rudyard Kipling |
|
Back to top |
|
|
jcat Veteran
Joined: 26 May 2006 Posts: 1337
|
Posted: Thu May 22, 2008 6:26 am Post subject: |
|
|
Even if you use keys to auth, I would still feel uncomfortable allowing root login via ssh. Just because it's good practice and one day there will be a security whole discovered that will allow a hacker to take advantage of this set-up temporarily until it's fixed (you have to assume the worst!). Just my .02
Glad to here your hosts.deny is now working
Cheers,
jcat |
|
Back to top |
|
|
|