LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 10-28-2009, 04:38 AM   #1
FireRaven
Member
 
Registered: Apr 2006
Location: Australia
Distribution: Debian Squeeze
Posts: 135

Rep: Reputation: 18
Help me - I am locked out of SSH because of DenyHosts


Hi,

I got locked out of my own server because (I think) I tried to login with wrong username/password too many times.

I have file access through the control panel to the server but /etc/denyhosts.conf is locked down for some reason.

Where does DenyHosts keep its blacklist file, maybe I can delete that manually?

Any ideas?

Thanks
 
Old 10-28-2009, 09:36 AM   #2
SethsdadtheLinuxer
Member
 
Registered: Jun 2007
Posts: 152

Rep: Reputation: 37
probably in ~/.ssh/known_hosts - check /etc/ssh/ssh_config and /etc/ssh/sshd_config to verify.
 
Old 10-28-2009, 04:42 PM   #3
FireRaven
Member
 
Registered: Apr 2006
Location: Australia
Distribution: Debian Squeeze
Posts: 135

Original Poster
Rep: Reputation: 18
Quote:
Originally Posted by SethsdadtheLinuxer View Post
probably in ~/.ssh/known_hosts - check /etc/ssh/ssh_config and /etc/ssh/sshd_config to verify.

Here's a copy of my file /etc/ssh/sshd_config file:
Code:
# Package generated configuration file
# See the sshd(8) manpage for details

# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes

RSAAuthentication no
PubkeyAuthentication no
#AuthorizedKeysFile	%h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

UsePAM yes

AllowUsers root
 
Old 10-29-2009, 04:45 AM   #4
Wim Sturkenboom
Senior Member
 
Registered: Jan 2005
Location: Roodepoort, South Africa
Distribution: Ubuntu 12.04, Antix19.3
Posts: 3,794

Rep: Reputation: 282Reputation: 282Reputation: 282
Assuming you have a normal user on your box, add that user to the last line of your sshd.conf. Not sure if you have to read sshd to make it take effect but I think you have to. Next try to login.

I guess that this is an internet facing box in which case it's not really advisable (put it politely) to have permitrootlogin set to yes and add root to allowusers. Once you're in fix that as the root account is what one usually tries to hack. Login as normal user and su to root when you have to.
 
Old 10-29-2009, 08:13 AM   #5
unixfool
Member
 
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 782
Blog Entries: 8

Rep: Reputation: 158Reputation: 158
Quote:
Originally Posted by FireRaven View Post
Hi,

I got locked out of my own server because (I think) I tried to login with wrong username/password too many times.

I have file access through the control panel to the server but /etc/denyhosts.conf is locked down for some reason.

Where does DenyHosts keep its blacklist file, maybe I can delete that manually?

Any ideas?

Thanks
I'm pretty sure Denyhosts has a whitelist that is separate from from the sshd config.

This may be within the denyhosts.conf file itself. I'd check but I'm at work and can't log into my machine at the moment.
 
Old 10-29-2009, 09:45 PM   #6
unixfool
Member
 
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 782
Blog Entries: 8

Rep: Reputation: 158Reputation: 158
Quote:
Originally Posted by unixfool View Post
I'm pretty sure Denyhosts has a whitelist that is separate from from the sshd config.

This may be within the denyhosts.conf file itself. I'd check but I'm at work and can't log into my machine at the moment.
OK, I'm home now.

Checking my box, I've a file called allowed-hosts. I've added IPs to this file so that I don't end up blocking myself.

Try that.
 
Old 10-29-2009, 10:49 PM   #7
edenCC
Member
 
Registered: May 2006
Location: China
Distribution: Debian
Posts: 198
Blog Entries: 1

Rep: Reputation: 32
DenyHosts is much like an IP based limitation.
If I'm right, you could have a try from another network to bypass the IP based ACL.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Prevent brute force attacks on SSH servers with DenyHosts LXer Syndicated Linux News 0 07-07-2009 08:20 AM
LXer: Securing SSH Using Denyhosts LXer Syndicated Linux News 0 08-26-2007 04:30 PM
LXer: Preventing SSH Dictionary Attacks With DenyHosts LXer Syndicated Linux News 0 02-19-2006 11:01 AM
SSH sessions locked to one program jav Linux - Software 2 11-17-2004 10:06 AM
ssh locked out stikboy Linux - General 5 03-17-2003 06:01 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 12:36 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration