Date: Thu, 28 Sep 2006 20:48:32 +0000 From: Robin Becker <robin@reportlab.com> To: freebsd-questions@freebsd.org Subject: Re: denyhosts problems Message-ID: <451C3520.7050500@jessikat.plus.net> In-Reply-To: <20060928185621.GA43858@catflap.slightlystrange.org> References: <451BF6D3.7000901@chamonix.reportlab.co.uk> <20060928185621.GA43858@catflap.slightlystrange.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Daniel Bye wrote: > On Thu, Sep 28, 2006 at 05:22:43PM +0100, Robin Becker wrote: >> I'm trying to get denyhosts-2.5 to work in 6.0 and have inserted a line in >> hosts.allow >> >> >> ALL: xxx.myoffice.com : allow >> sshd: /etc/hosts.deniedssh : deny >> ALL: ALL : allow >> >> but am finding that this causes my home ip to be denied even though I log >> in with a pre-shared key. > > sshd will still avail itself of libwrap's functionality /before/ the > client even has a chance to offer its key. Anyone who manages to get > a copy of your key will need also to satisfy your /etc/hosts.allow > rules before they can use it. > >> The /etc/hosts.deniedssh file is being created, but my home ip is not >> present (it would be hard as I have a dynamically allocated one anyhow). >> >> The hosts.deniedssh file contains entries like >> ....... > > ALL : ALL : 61.219.xx.250 : deny : deny > > which, clearly, is nonsense! I am not writing this file, denyhosts is. > > Make sure that denyhosts.cfg has a blank value for BLOCK_SERVICE and > that it points HOSTS_DENY to the right file. I guess that at least > is correct, though. My BAD I have the value ALL for BLOCK_SERVICE, I suppose that's the problem. I read further and it seems I do indeed need to set an empty value. Thanks. > > DenyHosts will then correctly record only the IP address of blocked > hosts, which will result in much saner rule expansions! > >> I have the same setup in 6.1 and it seems to work. But I still see messages >> related to line 24 from that setup. Does denyhosts work properly? > > I suspect it is not quite the same - check the BLOCK_SERVICE setting on > that machine. You're probably right. > > Check out the DenyHosts FAQ - it's very useful. > > http://denyhosts.sourceforge.net/faq.html > > And the FreeBSD hosts_options(5) man page as well, which, as I said > earlier, contains the full story on setting up your /etc/hosts.allow. Thanks again. -- Robin Becker
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?451C3520.7050500>