Date: Thu, 28 Sep 2006 19:56:21 +0100 From: Daniel Bye <freebsd-questions@slightlystrange.org> To: freebsd-questions@freebsd.org Subject: Re: denyhosts problems Message-ID: <20060928185621.GA43858@catflap.slightlystrange.org> In-Reply-To: <451BF6D3.7000901@chamonix.reportlab.co.uk> References: <451BF6D3.7000901@chamonix.reportlab.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
--r5Pyd7+fXNt84Ff3 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Sep 28, 2006 at 05:22:43PM +0100, Robin Becker wrote: > I'm trying to get denyhosts-2.5 to work in 6.0 and have inserted a line i= n=20 > hosts.allow >=20 >=20 > ALL: xxx.myoffice.com : allow > sshd: /etc/hosts.deniedssh : deny > ALL: ALL : allow >=20 > but am finding that this causes my home ip to be denied even though I log= =20 > in with a pre-shared key. sshd will still avail itself of libwrap's functionality /before/ the client even has a chance to offer its key. Anyone who manages to get a copy of your key will need also to satisfy your /etc/hosts.allow rules before they can use it. > The /etc/hosts.deniedssh file is being created, but my home ip is not=20 > present (it would be hard as I have a dynamically allocated one anyhow). >=20 > The hosts.deniedssh file contains entries like >=20 > ....... > ALL: 61.219.xx.250 : deny > ALL: 209.8.xx.242 : deny > ....... This is wrong - when using an auxiliary file like this, that file should contain only the IP address of offending hosts. If you think about how hosts.allow rules are structured, this will make sense. > I am getting an error in the auth log related to the denial that looks li= ke=20 > this > /etc/hosts.allow, line 24: can't verify hostname:=20 > getaddrinfo(xxx-yyy-......, AF_INET) >=20 > where /etc/hosts.allow line24 corresponds to the >=20 > sshd: /etc/hosts.deniedssh : deny >=20 > line in hosts.allow. Indeed. It is precisely that rule that is uncovering the problems with your current configuration. Look at the structure of the rules. First, you have the service name, a colon, an address specification, another colon, and an action. (this is actually a bit of an over simplification, but you can get the full story if you look at hosts_access(5)) If the address specification actually contains the path to a file, the contents of that file are interpolated into the body of the rule. So, in your case, what libwrap constructs will look something like ALL : ALL : 61.219.xx.250 : deny : deny which, clearly, is nonsense! Make sure that denyhosts.cfg has a blank value for BLOCK_SERVICE and that it points HOSTS_DENY to the right file. I guess that at least is correct, though. DenyHosts will then correctly record only the IP address of blocked hosts, which will result in much saner rule expansions! > I have the same setup in 6.1 and it seems to work. But I still see messag= es=20 > related to line 24 from that setup. Does denyhosts work properly? I suspect it is not quite the same - check the BLOCK_SERVICE setting on that machine. Check out the DenyHosts FAQ - it's very useful. http://denyhosts.sourceforge.net/faq.html And the FreeBSD hosts_options(5) man page as well, which, as I said earlier, contains the full story on setting up your /etc/hosts.allow. HTH Dan --=20 Daniel Bye PGP Key: http://www.slightlystrange.org/pgpkey-dan.asc PGP Key fingerprint: D349 B109 0EB8 2554 4D75 B79A 8B17 F97C 1622 166A _ ASCII ribbon campaign ( ) - against HTML, vCards and X - proprietary attachments in e-mail / \ --r5Pyd7+fXNt84Ff3 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQFFHBrVixf5fBYiFmoRAptEAJ4qRZ9CsQkLKnHA/PooudNL411B8gCfSWSb 7IjH46p/C/1vnUbeNLn8QYY= =5em0 -----END PGP SIGNATURE----- --r5Pyd7+fXNt84Ff3--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060928185621.GA43858>