# /etc/hosts.deny ignored?!

## binro

I have recently been tuning DenyHosts to better block dictionary attacks against sshd and proftpd. My rules are now good but the attacks continue (this in itself is not a worry since I only allow logon via RSA public keys). The attacking IP address is added to /etc/hosts.deny but seems to be ignored. 

I have checked that: xinetd is running and was compiled with the tcpd flag; there are no bad rules in hosts.allow.

Any ideas welcome, I am a bit stumped.   :Sad: 

----------

## alex.blackbit

i don't understand why you need xinetd. neither sshd nor proftpd need it, right?

----------

## binro

 *alex.blackbit wrote:*   

> i don't understand why you need xinetd. neither sshd nor proftpd need it, right?

 

Not exactly, proftpd can be configured to use xinetd and I also use it for qpopper. What's more, I remember locking myself out on my last overseas trip, so this used to work.

----------

## jcat

Does you /etc/hosts.deny work at all?

Try some simple tests, back up your current allow and deny files reconfigure as needed for some simple tests.

If the files are definitely working ok, then you can only presume that it's your rules that aren't correct (in one file or the other or both).

If you can't work it out feel free to post the contents of both files.

Cheers,

jcat

----------

## binro

Here is my hosts.allow with the local address range (192.168) not allowed by default.

ALL: LOCAL

sendmail: ALL

# ALL: 192.168.

popper: ALL

spamd: 127.0.0.1

ldapd: ALL 

slapd: ALL 

cupsd: ALL

Here is a segment of hosts.deny where I have deliberately got myself blacklisted:

# DenyHosts: Tue Mar 25 18:24:09 2008 | ALL: 192.168.1.57

ALL: 192.168.1.57

Yet I can still logon if I use a valid userid/password. I should not even get a connection.

----------

## jcat

First of all, your

spamd: 127.0.0.1

is irrelevant, because you have

ALL: LOCAL

already allowing anything from local to anything (using tcpd wrappers anyway).

How are you testing the rule?  Logging in locally using ssh?

Have you tried

```
ssh localhost
```

 and 

```
ssh 192.168.1.57
```

Cheers,

jcat

----------

## Cyker

Stupid question: You have compiled tcpwrappers support into xinetd, openssh and proftpd?

----------

## binro

 *jcat wrote:*   

> 
> 
> How are you testing the rule?  Logging in locally using ssh?
> 
> Have you tried
> ...

 

No, I ssh from 192.168.1.57 to 192.168.1.2, which is my main server. 192.168.1.57 should be blocked but isn't.

----------

## binro

 *Cyker wrote:*   

> Stupid question: You have compiled tcpwrappers support into xinetd, openssh and proftpd?

 

Yes, tcpd is in the global use flags.

----------

## binro

More info: proftpd is reading hosts.deny, connections do get blocked. However, connects to sshd from the same address are permitted, unless I put 

```
ALL: ALL
```

at the top of hosts.deny. Then the connection is refused. Which makes me thing that this is an SSH problem, so I installed the latest version from the test branch but there was no change. My sshd_config options are default, except for disallowing clear text passwords. All very strange.

----------

## jcat

Hi,

While it's strange that your hosts.deny rule ALL: 192.168.1.57 is not effective, it is best practice to deny everything with ALL:  ALL and then specifically allow exceptions on hosts.allow.

What happens if you deny everything then add 

```
sshd:  ALL
```

 to hosts.allow, and then deny specific IP addresses?

Cheers,

jcat

----------

## binro

 *jcat wrote:*   

> While it's strange that your hosts.deny rule ALL: 192.168.1.57 is not effective, it is best practice to deny everything with ALL: ALL and then specifically allow exceptions on hosts.allow. 
> 
> 

 

I travel a lot and want to be able to ssh into my server from wherever I am.

 *jcat wrote:*   

> What happens if you deny everything then add 
> 
> Code:
> 
>   sshd:  ALL
> ...

 

No change, the connection is still made.

----------

## jcat

 *binro wrote:*   

>  *jcat wrote:*   While it's strange that your hosts.deny rule ALL: 192.168.1.57 is not effective, it is best practice to deny everything with ALL: ALL and then specifically allow exceptions on hosts.allow. 
> 
>  
> 
> I travel a lot and want to be able to ssh into my server from wherever I am.
> ...

 

Which is why I then said to then allow all to sshd   :Wink: 

I'm running out of ideas.  Not sure if this will help, but I presume both files are world readable?

Incidentally, if you really can't find the problem here, you can always resort to using IPTables to block the traffic before it's even processed, or use some null routes or something instead.

Cheers,

jcat

----------

## RiverRat

 *binro wrote:*   

> I have recently been tuning DenyHosts to better block dictionary attacks against sshd and proftpd. My rules are now good but the attacks continue (this in itself is not a worry since I only allow logon via RSA public keys). The attacking IP address is added to /etc/hosts.deny but seems to be ignored. 
> 
> I have checked that: xinetd is running and was compiled with the tcpd flag; there are no bad rules in hosts.allow.
> 
> Any ideas welcome, I am a bit stumped.  

 

I'm having the same issue.  I have a workaround at the moment but I'd like this resolved.  I am not running xinted nor any ftp server and I can confirm that I have the USE="tcpd" flag for openssh and tcp-wrappers installed.  My /etc/hosts.deny file is also seemingly ignored but 

denyhosts is working as the entries are appearing in /etc/hosts.deny.  I have opened a bug report here:

https://bugs.gentoo.org/show_bug.cgi?id=222777

Any ideas would be greatly appreciated.

----------

## RiverRat

The solution is here: https://forums.gentoo.org/viewtopic-p-4146699.html#4146699

----------

## binro

 *RiverRat wrote:*   

> The solution is here: https://forums.gentoo.org/viewtopic-p-4146699.html#4146699

 

I do not have a ListenAddress in my ssh config. However, I somehow solved the problem by updating to the latest ssh in the test branch. Possibly the update fixed a config file somewhere.

----------

## depontius

Just another note...

There is a directive in /etc/ssh/sshd_config called "AllowGroups".  I have added a group put users I want to be able to allow to ssh into the box in that group, then use that group with the preceding directive.  This gives another layer of security to OpenSSH, especially with all of the current brute-force attacks going on.  They can try and brute-force any account under the sun, but they've got try to brute-force the right account to even start to get anywhere.  You probably also want to "PermitRootLogin no" in that same file.  I simply don't understand why Gentoo has this default to "yes".  Every etc-update I have to go back and change it.

Another thought...

Are you connecting from random systems, or from your personal laptop?  I have things set in multiple layers to only allow incoming ssh from my employer's IP range.  But I also have OpenVPN, and allow incoming connections from anywhere, since it has certificate-based connections that aren't open to simple brute-force attack.  When I want to ssh in while traveling, I open the OpenVPN tunnel, then ssh through that, not for double-encryption, but because I feel that OpenVPN is safer to expose to general connections.

----------

## binro

I connect from many places (including my phone - my SE P1i runs PuTTY!   :Very Happy:  ) and I even allow root logins. However I have:

```
ChallengeResponseAuthentication no

```

in my sshd_config and carry my RSA keys around on a USB stick.

----------

## jcat

Even if you use keys to auth, I would still feel uncomfortable allowing root login via ssh.  Just because it's good practice and one day there will be a security whole discovered that will allow a hacker to take advantage of this set-up temporarily until it's fixed (you have to assume the worst!).  Just my .02

Glad to here your hosts.deny is now working   :Smile: 

Cheers,

jcat

----------

