From owner-freebsd-questions@FreeBSD.ORG Thu Sep 28 20:48:33 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 85CD416A40F for ; Thu, 28 Sep 2006 20:48:33 +0000 (UTC) (envelope-from robin@reportlab.com) Received: from pih-relay05.plus.net (pih-relay05.plus.net [212.159.14.132]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1DEC643D68 for ; Thu, 28 Sep 2006 20:48:31 +0000 (GMT) (envelope-from robin@reportlab.com) Received: from [87.112.86.15] (helo=[192.168.0.3]) by pih-relay05.plus.net with esmtp (Exim) id 1GT2o1-0004qO-V4 for freebsd-questions@freebsd.org; Thu, 28 Sep 2006 21:48:30 +0100 Message-ID: <451C3520.7050500@jessikat.plus.net> Date: Thu, 28 Sep 2006 20:48:32 +0000 From: Robin Becker User-Agent: Thunderbird 1.5.0.7 (Windows/20060909) MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: <451BF6D3.7000901@chamonix.reportlab.co.uk> <20060928185621.GA43858@catflap.slightlystrange.org> In-Reply-To: <20060928185621.GA43858@catflap.slightlystrange.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: denyhosts problems X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Sep 2006 20:48:33 -0000 Daniel Bye wrote: > On Thu, Sep 28, 2006 at 05:22:43PM +0100, Robin Becker wrote: >> I'm trying to get denyhosts-2.5 to work in 6.0 and have inserted a line in >> hosts.allow >> >> >> ALL: xxx.myoffice.com : allow >> sshd: /etc/hosts.deniedssh : deny >> ALL: ALL : allow >> >> but am finding that this causes my home ip to be denied even though I log >> in with a pre-shared key. > > sshd will still avail itself of libwrap's functionality /before/ the > client even has a chance to offer its key. Anyone who manages to get > a copy of your key will need also to satisfy your /etc/hosts.allow > rules before they can use it. > >> The /etc/hosts.deniedssh file is being created, but my home ip is not >> present (it would be hard as I have a dynamically allocated one anyhow). >> >> The hosts.deniedssh file contains entries like >> ....... > > ALL : ALL : 61.219.xx.250 : deny : deny > > which, clearly, is nonsense! I am not writing this file, denyhosts is. > > Make sure that denyhosts.cfg has a blank value for BLOCK_SERVICE and > that it points HOSTS_DENY to the right file. I guess that at least > is correct, though. My BAD I have the value ALL for BLOCK_SERVICE, I suppose that's the problem. I read further and it seems I do indeed need to set an empty value. Thanks. > > DenyHosts will then correctly record only the IP address of blocked > hosts, which will result in much saner rule expansions! > >> I have the same setup in 6.1 and it seems to work. But I still see messages >> related to line 24 from that setup. Does denyhosts work properly? > > I suspect it is not quite the same - check the BLOCK_SERVICE setting on > that machine. You're probably right. > > Check out the DenyHosts FAQ - it's very useful. > > http://denyhosts.sourceforge.net/faq.html > > And the FreeBSD hosts_options(5) man page as well, which, as I said > earlier, contains the full story on setting up your /etc/hosts.allow. Thanks again. -- Robin Becker