Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 28 Sep 2006 19:56:21 +0100
From:      Daniel Bye <>
Subject:   Re: denyhosts problems
Message-ID:  <>
In-Reply-To: <>
References:  <>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help

Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Thu, Sep 28, 2006 at 05:22:43PM +0100, Robin Becker wrote:
> I'm trying to get denyhosts-2.5 to work in 6.0 and have inserted a line i=
> hosts.allow
> ALL: : allow
> sshd: /etc/hosts.deniedssh : deny
> ALL: ALL : allow
> but am finding that this causes my home ip to be denied even though I log=
> in with a pre-shared key.

sshd will still avail itself of libwrap's functionality /before/ the
client even has a chance to offer its key. Anyone who manages to get
a copy of your key will need also to satisfy your /etc/hosts.allow
rules before they can use it.

> The /etc/hosts.deniedssh file is being created, but my home ip is not=20
> present (it would be hard as I have a dynamically allocated one anyhow).
> The hosts.deniedssh file contains entries like
> .......
> ALL: 61.219.xx.250 : deny
> ALL: 209.8.xx.242 : deny
> .......

This is wrong - when using an auxiliary file like this, that file
should contain only the IP address of offending hosts.  If you think
about how hosts.allow rules are structured, this will make sense.

> I am getting an error in the auth log related to the denial that looks li=
> this
> /etc/hosts.allow, line 24: can't verify hostname:=20
> getaddrinfo(xxx-yyy-......, AF_INET)
> where /etc/hosts.allow line24 corresponds to the
> sshd: /etc/hosts.deniedssh : deny
> line in hosts.allow.

Indeed.  It is precisely that rule that is uncovering the problems with
your current configuration.  Look at the structure of the rules.  First,
you have the service name, a colon, an address specification, another
colon, and an action. (this is actually a bit of an over simplification,
but you can get the full story if you look at hosts_access(5))

If the address specification actually contains the path to a file,
the contents of that file are interpolated into the body of the rule.
So, in your case, what libwrap constructs will look something like

ALL : ALL : 61.219.xx.250 : deny : deny

which, clearly, is nonsense!

Make sure that denyhosts.cfg has a blank value for BLOCK_SERVICE and
that it points HOSTS_DENY to the right file.  I guess that at least
is correct, though.

DenyHosts will then correctly record only the IP address of blocked
hosts, which will result in much saner rule expansions!

> I have the same setup in 6.1 and it seems to work. But I still see messag=
> related to line 24 from that setup. Does denyhosts work properly?

I suspect it is not quite the same - check the BLOCK_SERVICE setting on
that machine.

Check out the DenyHosts FAQ - it's very useful.

And the FreeBSD hosts_options(5) man page as well, which, as I said
earlier, contains the full story on setting up your /etc/hosts.allow.



Daniel Bye

PGP Key:
PGP Key fingerprint: D349 B109 0EB8 2554 4D75  B79A 8B17 F97C 1622 166A
                                              ASCII ribbon campaign ( )
                                         - against HTML, vCards and  X
                                - proprietary attachments in e-mail / \

Content-Type: application/pgp-signature
Content-Disposition: inline

Version: GnuPG v1.4.5 (FreeBSD)



Want to link to this message? Use this URL: <>