LinuxQuestions.org - Help me - I am locked out of SSH because of DenyHosts

- Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)

- - Help me - I am locked out of SSH because of DenyHosts (https://www.linuxquestions.org/questions/linux-security-4/help-me-i-am-locked-out-of-ssh-because-of-denyhosts-764975/)

Help me - I am locked out of SSH because of DenyHosts

Hi,

I got locked out of my own server because (I think) I tried to login with wrong username/password too many times.

I have file access through the control panel to the server but /etc/denyhosts.conf is locked down for some reason.

Where does DenyHosts keep its blacklist file, maybe I can delete that manually?

Any ideas?

Thanks

probably in ~/.ssh/known_hosts - check /etc/ssh/ssh_config and /etc/ssh/sshd_config to verify.

Quote:

Originally Posted by SethsdadtheLinuxer (Post 3735380)

probably in ~/.ssh/known_hosts - check /etc/ssh/ssh_config and /etc/ssh/sshd_config to verify.

Here's a copy of my file /etc/ssh/sshd_config file:

Code:

# Package generated configuration file

# See the sshd(8) manpage for details



# What ports, IPs and protocols we listen for

Port 22

# Use these options to restrict which interfaces/protocols sshd will bind to

#ListenAddress ::

#ListenAddress 0.0.0.0

Protocol 2

# HostKeys for protocol version 2

HostKey /etc/ssh/ssh_host_rsa_key

HostKey /etc/ssh/ssh_host_dsa_key

#Privilege Separation is turned on for security

UsePrivilegeSeparation yes



# Lifetime and size of ephemeral version 1 server key

KeyRegenerationInterval 3600

ServerKeyBits 768



# Logging

SyslogFacility AUTH

LogLevel INFO



# Authentication:

LoginGraceTime 120

PermitRootLogin yes

StrictModes yes



RSAAuthentication no

PubkeyAuthentication no

#AuthorizedKeysFile        %h/.ssh/authorized_keys



# Don't read the user's ~/.rhosts and ~/.shosts files

IgnoreRhosts yes

# For this to work you will also need host keys in /etc/ssh_known_hosts

RhostsRSAAuthentication no

# similar for protocol version 2

HostbasedAuthentication no

# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication

#IgnoreUserKnownHosts yes



# To enable empty passwords, change to yes (NOT RECOMMENDED)

PermitEmptyPasswords no



# Change to yes to enable challenge-response passwords (beware issues with

# some PAM modules and threads)

ChallengeResponseAuthentication no



# Change to no to disable tunnelled clear text passwords

#PasswordAuthentication yes



# Kerberos options

#KerberosAuthentication no

#KerberosGetAFSToken no

#KerberosOrLocalPasswd yes

#KerberosTicketCleanup yes



# GSSAPI options

#GSSAPIAuthentication no

#GSSAPICleanupCredentials yes



X11Forwarding yes

X11DisplayOffset 10

PrintMotd no

PrintLastLog yes

TCPKeepAlive yes

#UseLogin no



#MaxStartups 10:30:60

#Banner /etc/issue.net



# Allow client to pass locale environment variables

AcceptEnv LANG LC_*



Subsystem sftp /usr/lib/openssh/sftp-server



UsePAM yes



AllowUsers root

Assuming you have a normal user on your box, add that user to the last line of your sshd.conf. Not sure if you have to read sshd to make it take effect but I think you have to. Next try to login.

I guess that this is an internet facing box in which case it's not really advisable (put it politely) to have permitrootlogin set to yes and add root to allowusers. Once you're in fix that as the root account is what one usually tries to hack. Login as normal user and su to root when you have to.

Quote:

Originally Posted by FireRaven (Post 3735087)

I'm pretty sure Denyhosts has a whitelist that is separate from from the sshd config.

This may be within the denyhosts.conf file itself. I'd check but I'm at work and can't log into my machine at the moment.

Quote:

Originally Posted by unixfool (Post 3736595)

OK, I'm home now.

Checking my box, I've a file called allowed-hosts. I've added IPs to this file so that I don't end up blocking myself.

Try that.

DenyHosts is much like an IP based limitation.
If I'm right, you could have a try from another network to bypass the IP based ACL.