LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 04-13-2007, 12:13 PM   #1
Firebar
Member
 
Registered: Feb 2005
Location: Southampton (UK)
Distribution: Debian, RHEL and SuSE
Posts: 69

Rep: Reputation: 15
DenyHosts - false /etc/hosts.deny entries


Hi,

I'm configuring DenyHosts to protect myself from brute force ssh attacks after noticing my machine sat on the web had some attempts from an IP in china.

I've installed and configured and its running fine after some initial .lock file problems.

The wierd thing is it puts the IP address of my main desktop machine (which I use to connect via public key) straight into the /etc/hosts.deny file. Even wierder is that I can still connect despite this!

If I manually remove the false entry from /etc/hosts.deny, denyhosts will shove it back in there within 10 seconds.

Any ideas? I'm totally stumped why it is doing this, and more important perhaps, why /etc/hosts.deny isn't denying access from my desktop machine.

The entry looks like;

sshd : x.x.x.x

The only thing may be causing a problem is that my ssh port is off 22.

Thanks
 
Old 04-13-2007, 01:09 PM   #2
BrianK
Senior Member
 
Registered: Mar 2002
Location: Los Angeles, CA
Distribution: Debian, Ubuntu
Posts: 1,334

Rep: Reputation: 51
Quote:
Originally Posted by Firebar
Hi,

I'm configuring DenyHosts to protect myself from brute force ssh attacks after noticing my machine sat on the web had some attempts from an IP in china.

I've installed and configured and its running fine after some initial .lock file problems.

The wierd thing is it puts the IP address of my main desktop machine (which I use to connect via public key) straight into the /etc/hosts.deny file. Even wierder is that I can still connect despite this!

If I manually remove the false entry from /etc/hosts.deny, denyhosts will shove it back in there within 10 seconds.

Any ideas? I'm totally stumped why it is doing this, and more important perhaps, why /etc/hosts.deny isn't denying access from my desktop machine.

The entry looks like;

sshd : x.x.x.x

The only thing may be causing a problem is that my ssh port is off 22.

Thanks
Is there a reason why you have some deamon running to handle this rather than just manually editing your hosts.allow & hosts.deny?

I deny everything then allow certain entries through hosts.allow. Works great. No "denyhosts" program needed. I can see all the thwarted login attempts /var/log/auth.log so I know it's working.

fyi, my hosts.deny looks like so:

ALL: PARANOID

... and hosts.allow has a bunch of:

sshd: x.x.x.x

entries for explicitly allowed ips.
 
Old 04-13-2007, 01:49 PM   #3
Firebar
Member
 
Registered: Feb 2005
Location: Southampton (UK)
Distribution: Debian, RHEL and SuSE
Posts: 69

Original Poster
Rep: Reputation: 15
Adding entries for each user would be very hard in my case. They log on remotely from home, from other sites etc etc.

I think I might have nailed the problem though, and blindingly obvious it was. I had a previous failed attempt from my desktop IP when I was messing around earlier. Of course thats in /var/log/messages and when the daemon parses the log file (I presume it does the entire file when first started up), it finds that IP and adds it to hosts.deny.
 
Old 04-13-2007, 02:22 PM   #4
jschiwal
LQ Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 682Reputation: 682Reputation: 682Reputation: 682Reputation: 682Reputation: 682
I would recommend adding the users who are allowed to use ssh to a group that you create for that purpose. For example, let's say you call the group "sshusers".
Then add the line:
AllowGroups sshusers
to your sshd_config file. This will deny all other groups including system groups which are subject to brute force attacks. I think in your case this would be easier to manage than adding each user to "AllowUsers".

Moving the port that ssh listens to will help reduce the number of brute force attacks as well. A determined hacker will still be able to scan for the ssh port being used, but most will move on to another computer.

Since the attack is coming from a single IP address, consider blocking it in the firewall. You may even be able to block it in your NAT router to protect all of your hosts. Also consider blocking the group of IPs that are assigned to China, since that country is so active in hacking. Many companies who don't do business with China will do that to protect their mail servers.

If you use PAM for ssh, then read through the "man 5 access.conf" for the syntax of /etc/security/access.conf.
There is also a "man 5 hosts_access" manpage.

It may be better to instead not use PAM and instead rely on keys as the only form of authentication. Using search on this site for "ssh" should provide plenty of posts with examples. Also check this sites wiki. If you have a user with a common user name like "God" or "bob" and a weak password, then you could still be vulnerable. You probably want to have your system reject weak passwords to protect other services as well.
See man pam_pwcheck for a possible solution. Your distro may have a convenient gui config to enforce this as well.

Last edited by jschiwal; 04-13-2007 at 02:36 PM.
 
Old 04-13-2007, 04:13 PM   #5
Firebar
Member
 
Registered: Feb 2005
Location: Southampton (UK)
Distribution: Debian, RHEL and SuSE
Posts: 69

Original Poster
Rep: Reputation: 15
Thanks for your ideas

The group make particular sense tbh.
 
Old 07-07-2007, 02:47 PM   #6
gr3g
LQ Newbie
 
Registered: Jul 2006
Posts: 2

Rep: Reputation: 0
Another option:

1. edit denyhosts.conf and find PURGE_DENY, change to 1m (1 minute)
2. stop denyhosts
3. start denyhosts with --purge option

after your IP clear from hosts.deny, put back PURGE_DENY time to your taste then restart denyhosts.

Last edited by gr3g; 07-07-2007 at 02:51 PM.
 
Old 07-08-2007, 11:18 AM   #7
whistl
Member
 
Registered: May 2005
Location: USA
Distribution: Ubuntu, CentOS
Posts: 37

Rep: Reputation: 15
Quote:
Originally Posted by Firebar
Hi,
The wierd thing is it puts the IP address of my main desktop machine (which I use to connect via public key) straight into the /etc/hosts.deny file. Even wierder is that I can still connect despite this!

If I manually remove the false entry from /etc/hosts.deny, denyhosts will shove it back in there within 10 seconds.
I'll bet you have an entry in hosts.allow that is overriding the entry in hosts.deny.

DenyHosts works by scanning syslog files looking for sshd login failure messages. Just removing the entry from hosts.deny won't work. You have to edit the configured syslog file (check denyhosts.cfg), remove all your own login failures and bounce the denyhosts daemon to get it to not re-add the IP address you want to re-allow.
 
Old 07-08-2007, 11:26 AM   #8
jiml8
Senior Member
 
Registered: Sep 2003
Posts: 3,171

Rep: Reputation: 116Reputation: 116
I have found this script to be very helpful:

http://www.aczoom.com/cms/blockhosts

It halts the brute force attempts on ssh by blocking them (in hosts.allow and optionally in the iptables firewall) after a user configurable number of tries (I allow 5 tries). This does two things; first, it stops anyone who is really determined and might get lucky from actually making a connection, and second it cuts way down on the size of the auth.log file.
 
Old 07-08-2007, 01:13 PM   #9
whistl
Member
 
Registered: May 2005
Location: USA
Distribution: Ubuntu, CentOS
Posts: 37

Rep: Reputation: 15
Quote:
Originally Posted by jiml8
I have found this script to be very helpful:

http://www.aczoom.com/cms/blockhosts

It halts the brute force attempts on ssh by blocking them (in hosts.allow and optionally in the iptables firewall) after a user configurable number of tries (I allow 5 tries). This does two things; first, it stops anyone who is really determined and might get lucky from actually making a connection, and second it cuts way down on the size of the auth.log file.
Ummm, that's exactly what denyhosts does too.
 
Old 07-08-2007, 02:09 PM   #10
jiml8
Senior Member
 
Registered: Sep 2003
Posts: 3,171

Rep: Reputation: 116Reputation: 116
Quote:
Originally Posted by whistl
Ummm, that's exactly what denyhosts does too.
Yes, I figured that out when I googled denyhosts after posting. However the way they do it is a bit different.

Blockhosts expects to get run from tcpwrappers, as a spawn from hosts.allow, while denyhosts is a daemon. Having not studied denyhosts in any detail, I won't offer an opinion on the advantages or disadvantages of each method, but blockhosts only runs when needed, and doesn't routinely clean up old blocked entries until it runs. Also, denyhosts has its mechanism for reporting blocked hosts to a central database which is shared. This may or may not be an advantage, but it is certainly something that blockhosts does not do.
 
Old 07-10-2007, 04:38 PM   #11
michaelnel
LQ Newbie
 
Registered: Apr 2005
Location: San Francisco, California
Posts: 12

Rep: Reputation: 0
Edit /usr/share/denyhosts/data/allowed-hosts and put a list of IPs there that are NEVER to be denied access, no matter how many times they fail their login.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] question about hosts.allow/hosts.deny Wim Sturkenboom Linux - Security 9 05-30-2006 01:33 AM
/etc/hosts.deny/hosts.allow have no effect on sshd access bganesh Linux - Security 4 05-04-2006 08:06 PM
Entries in hosts.deny file tensigh Linux - Security 8 05-02-2006 04:52 PM
hosts.allow & hosts.deny question... jonc Linux - Security 9 03-05-2005 09:41 PM
Adding shell commands to hosts.deny and hosts.allow ridertech Linux - Security 3 12-29-2003 03:52 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 03:01 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration