Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 21 Dec 2006 13:45:15 +0000
From:      Daniel Bye <dan@slightlystrange.org>
To:        David Banning <david+dated+1167109465.e841d1@skytracker.ca>
Cc:        questions@freebsd.org
Subject:   Re: question on hosts.allow
Message-ID:  <458A8FEB.7090805@slightlystrange.org>
In-Reply-To: <20061221050424.GA94983@skytracker.ca>
References:  <20061221050424.GA94983@skytracker.ca>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

David Banning wrote:
> I have been running denyhosts to stop attacks on my ssh port.
>
> The attacks continue after protection is put in place.
>
> Here is what I have in the tail of my /etc/hosts.allow
> as per the installation instructions;
> -------------------------
> ...<snip>
> sshd : /etc/hosts.deniedssh : deny
> sshd : ALL : allow
> -------------------------
>
> and in /etc/hosts.deniedssh I have;
>
> -------------------------
> sshd: 82.165.182.220 : deny
> sshd: 200.52.90.100 : deny
> -------------------------

This isn't quite right.  This file should contain IP addresses, one per
line, without any of the extraneous stuff - the `sshd' and `deny' bits
are taken care of by the

sshd : /etc/hosts.deniedssh : deny

line in /etc/hosts.allow.  (Effectively, with your current setup, your
hosts.allow rules expand to something like this:

sshd : sshd : 82.165.182.220 : deny : deny

which doesn't make much sense!)

At a guess, your BLOCK_SERVICE is set to something other than an empty
value.  It needs to be "BLOCK_SERVICE =" (without the quotes, of
course...) to ensure that only offending IP addresses get written out to
the auxiliary file.

>
> but I am still receiving attacks from the last IP address. So I am wondering
> what program actually -reads- hosts.allow

It should be read by anything that's built with tcpwrappers support.  In
this case, it would be sshd.

> May be it has to be reset, or restarted?

No, I don't think so.  I would imagine the problem is the screwy syntax
of your config.  Try setting BLOCK_SERVICE in
/usr/local/etc/denyhosts.conf, restart DenyHosts and see what happens...

Dan

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFio/rixf5fBYiFmoRAqQGAJ9USWP47e9nC6ChfhL8BzdxX7tFRwCgvUA9
U/pe3iiTdjkKzBctcaAU50k=
=QmiM
-----END PGP SIGNATURE-----



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?458A8FEB.7090805>