# Problems with openssh and tcp-wrappers

## rlucking

I've been installing denyhosts on all our servers, and all went well, except one!

It's a (uname -a)

Linux defender 2.6.18-hardened #2 SMP Sun Jan 28 20:39:01 GMT 2007 x86_64 AMD Opteron(tm) Processor 246 AuthenticAMD GNU/Linux

If I put "sshd: ALL" in hosts.deny, then I can't log in:

# ssh localhost

 ssh_exchange_identification: Connection closed by remote host

However, if I put in "sshd: 127.0.0.1", then I can still log in from the command prompt.

I've checked everything I can think of, and the only "clue" I can find is that when I had "sshd: ALL", there are lines like the following in auth.log:

 sshd[19815]: refused connect from 0.0.0.0

Which seems "wrong". The only similar things I can find related to an old version of solaris and IPV6 - which disabled through the use flag.

Any suggestions what I might be doing wrong would be appreciated!

Cheers

Rich

----------

## Rob1n

Sounds odd - are you sure localhost is resolving to 127.0.0.1?

----------

## rlucking

 *Rob1n wrote:*   

> Sounds odd - are you sure localhost is resolving to 127.0.0.1?

 

That was one of my first (or second...) thoughts...

But:

# host localhost

localhost has address 127.0.0.1

and:

host 127.0.0.1

1.0.0.127.in-addr.arpa domain name pointer localhost.

Cheers

Rich

----------

## Rob1n

Hmm, and can you ssh using the IP address rather than localhost?

----------

## Rob1n

Also, have you tried using 127.0.0.1/255.255.255.255 in the hosts.deny file?  The documentation isn't clear on allowing IP addresses without netmask.

----------

## rlucking

 *Rob1n wrote:*   

> Hmm, and can you ssh using the IP address rather than localhost?

 

I hadn't tried that... but no luck...

With "sshd: 127.0.0.1" in hosts.deny I can "ssh 127.0.0.1" (and the same with localhost) I can log in from the command prompt

I'd initially thought that it was a tcp-wrapper problem, but as the "ALL" works, I'm guessing it's something else... I'm just not sure what!

Rich

----------

## rlucking

Getting somewhere... if I uncomment the listenaddress in sshd_config and put in the IP address it works fine!

# ssh localhost

ssh: connect to host localhost port 22: Connection refused

Just need to work out why now... Will start afresh in the morning  :Smile: 

Cheers

Rich

----------

## nihilo

Thank you! 

I had the same issue. Denyhosts didn't work for me either until I added a ListenAddress directive with my IP address.

----------

## RiverRat

 *nihilo wrote:*   

> Thank you! 
> 
> I had the same issue. Denyhosts didn't work for me either until I added a ListenAddress directive with my IP address.

 

DAMN! What an obscure bug.  And thank you.  

Now the problem of handling a dynamic IP address.  Well thankfully my home network doesn't really get hit, just the production servers.  I guess I'll have to keep the solution that I came up with here:  https://bugs.gentoo.org/show_bug.cgi?id=222777

----------

## RiverRat

You guys  may want to look at the latest entry in the bug report as it appears that the connection is arriving as an IPv6 packet and getting mangled into an IPv4 packet and that is causing problems for tcp-wrappers.

----------

