Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 28 Sep 2006 20:48:32 +0000
From:      Robin Becker <robin@reportlab.com>
To:        freebsd-questions@freebsd.org
Subject:   Re: denyhosts problems
Message-ID:  <451C3520.7050500@jessikat.plus.net>
In-Reply-To: <20060928185621.GA43858@catflap.slightlystrange.org>
References:  <451BF6D3.7000901@chamonix.reportlab.co.uk> <20060928185621.GA43858@catflap.slightlystrange.org>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
Daniel Bye wrote:
> On Thu, Sep 28, 2006 at 05:22:43PM +0100, Robin Becker wrote:
>> I'm trying to get denyhosts-2.5 to work in 6.0 and have inserted a line in 
>> hosts.allow
>>
>>
>> ALL: xxx.myoffice.com : allow
>> sshd: /etc/hosts.deniedssh : deny
>> ALL: ALL : allow
>>
>> but am finding that this causes my home ip to be denied even though I log 
>> in with a pre-shared key.
> 
> sshd will still avail itself of libwrap's functionality /before/ the
> client even has a chance to offer its key. Anyone who manages to get
> a copy of your key will need also to satisfy your /etc/hosts.allow
> rules before they can use it.
> 
>> The /etc/hosts.deniedssh file is being created, but my home ip is not 
>> present (it would be hard as I have a dynamically allocated one anyhow).
>>
>> The hosts.deniedssh file contains entries like
>>
.......
> 
> ALL : ALL : 61.219.xx.250 : deny : deny
> 
> which, clearly, is nonsense!

I am not writing this file, denyhosts is.
> 
> Make sure that denyhosts.cfg has a blank value for BLOCK_SERVICE and
> that it points HOSTS_DENY to the right file.  I guess that at least
> is correct, though.
My BAD I have the value ALL for BLOCK_SERVICE, I suppose that's the 
problem. I read further and it seems I do indeed need to set an empty 
value. Thanks.

> 
> DenyHosts will then correctly record only the IP address of blocked
> hosts, which will result in much saner rule expansions!
> 
>> I have the same setup in 6.1 and it seems to work. But I still see messages 
>> related to line 24 from that setup. Does denyhosts work properly?
> 
> I suspect it is not quite the same - check the BLOCK_SERVICE setting on
> that machine.

You're probably right.

> 
> Check out the DenyHosts FAQ - it's very useful.
> 
> http://denyhosts.sourceforge.net/faq.html
> 
> And the FreeBSD hosts_options(5) man page as well, which, as I said
> earlier, contains the full story on setting up your /etc/hosts.allow.

Thanks again.
-- 
Robin Becker



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?451C3520.7050500>