warning: /etc/hosts.deny, line 20: missing ":" separator
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Yest hosts.deny has only two lines.
/var/log/auth.log
I see above error message.
I have put it up to block all programs from those IPs.Right now only ssh is running.But when I will run more I want to block ALL for those IPs.
May 16 07:17:44 homeserver sshd[31735]: warning: /etc/hosts.deny, line 20: missing ":" separator
So I infer that some one trying to do an SSH is what is triggering it.
What else do I need to check let me know and how exactly to get rid of it?I did searched but could not find any thing useful.Is there a possibility that a root kit is there in my system?
I also see a line
Code:
CRON[31833]: pam_unix(cron:session): session opened for user root by (uid=0)
It has filled up my entire log.
Can it be a possible break in?
Is there an elegant way to stop this,
Code:
crontab -l
no crontab for root
As far as I understand that when cron runs
cron has to be authenticated to the system just like everyone else and cron checks the config files to see if anything has changed. Since cron can run at any minute of the day you will see alot of them.
But I just want to make sure that this is happening.
I have no idea what may be the cause and have seen no such messages (my Slackware 13.0 system does not have pam, it does not run sshd and has /var/log/security instead of /var/log/auth.log) so the only thing I can do is ask more questions to build a full picture.
Does the "warning: /etc/hosts.deny, line 20: missing ":" separator" appear more than once? Regards getting rid of the message it would help if you could reproduce it. Are you able to ssh into the system to see if that reproduces it? If so you could stop sshd and start it from the command line with a -d option to get more information.
When you write "So I infer that some one trying to do an SSH is what is triggering it" does that mean it was not you? If it was not you, where could the ssh have come from in network terms? Does this computer have a public address on the Internet or is there a firewall and/or NATing router between it and the Internet? Is it on a LAN with several users?
Regards "Is there a possibility that a root kit is there in my system?", of course it is possible but it may not be likely and we don't yet (AFAIK -- a rootkit expert may know different) have evidence for it.
Finally, which distro and version is the computer running?
[QUOTE=catkin;3970357]I have no idea what may be the cause and have seen no such messages (my Slackware 13.0 system does not have pam, it does not run sshd and has /var/log/security instead of /var/log/auth.log) so the only thing I can do is ask more questions to build a full picture.
[quote]
Ok please go ahead.I will try to answer.
Quote:
Originally Posted by catkin
Does the "warning: /etc/hosts.deny, line 20: missing ":" separator" appear more than once?
Yes
Quote:
Originally Posted by catkin
Regards getting rid of the message it would help if you could reproduce it. Are you able to ssh into the system to see if that reproduces it?
I am able to SSH.
Quote:
Originally Posted by catkin
If so you could stop sshd and start it from the command line with a -d option to get more information.
Code:
Restarting OpenBSD Secure Shell server: sshddebug1: sshd version OpenSSH_5.1p1 Debian-5
debug1: read PEM private key done: type RSA
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
debug1: private host key: #0 type 1 RSA
debug1: read PEM private key done: type DSA
debug1: Checking blacklist file /usr/share/ssh/blacklist.DSA-1024
debug1: Checking blacklist file /etc/ssh/blacklist.DSA-1024
debug1: private host key: #1 type 2 DSA
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-d'
debug1: Bind to port 22 on ::.
Server listening on :: port 22.
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
Well I had installed BlockHosts-2.0.5
just after your last message.
Quote:
Originally Posted by catkin
When you write "So I infer that some one trying to do an SSH is what is triggering it" does that mean it was not you? If it was not you, where could the ssh have come from in network terms? Does this computer have a public address on the Internet
Yes it is on a public IP.All attacks came from 2 specific IPs.Being an open forum I do not want to put them here.
Quote:
Originally Posted by catkin
Regards "Is there a possibility that a root kit is there in my system?", of course it is possible but it may not be likely and we don't yet (AFAIK -- a rootkit expert may know different) have evidence for it.
Finally, which distro and version is the computer running?
Thanks for all that. One thing I forgot to write was, after starting sshd from the command line, to ssh into the server yourself; I was hoping to get a clue about why the error message was triggered.
In view of the fact that the server is on a public IP and the strangeness of the hosts.deny error message (line 20 of a two line file!?) you could ask the moderators to move this thread to the Security forum where it is more likely to attract the attention of experts in this area. You can do so by using the Report button.
1 # /etc/hosts.deny: list of hosts that are _not_ allowed to access the system.
2 # See the manual pages hosts_access(5) and hosts_options(5).
3 #
4 # Example: ALL: some.host.name, .some.domain
5 # ALL EXCEPT in.fingerd: other.host.name, .other.domain
6 #
7 # If you're going to protect the portmapper use the name "portmap" for the
8 # daemon name. Remember that you can only use the keyword "ALL" and IP
9 # addresses (NOT host or domain names) for the portmapper, as well as for
10 # rpc.mountd (the NFS mount daemon). See portmap(8) and rpc.mountd(8)
11 # for further information.
12 #
13 # The PARANOID wildcard matches any host whose name does not match its
14 # address.
15
16 # You may wish to enable this to ensure any programs that don't
17 # validate looked up hostnames still leave understandable logs. In past
18 # versions of Debian this has been the default.
19 ## ALL: PARANOID
20 ALL: 211.43.204.42
21 ALL: 218.67.246.61
22 ALL: 115.238.71.37
1. it doesn't like the blank line at line 15?
2. there's a hidden char (maybe msdos derived) on line 20; try hexdump cmd
3. try deleting the file and just create a new one with only the active lines
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
