From owner-freebsd-questions@FreeBSD.ORG Thu Dec 21 13:58:21 2006 Return-Path: X-Original-To: questions@freebsd.org Delivered-To: freebsd-questions@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id AAA5F16A407 for ; Thu, 21 Dec 2006 13:58:21 +0000 (UTC) (envelope-from dan@slightlystrange.org) Received: from catflap.slightlystrange.org (cpc5-cmbg1-0-0-cust497.cmbg.cable.ntl.com [86.6.1.242]) by mx1.freebsd.org (Postfix) with ESMTP id 64B4513C463 for ; Thu, 21 Dec 2006 13:58:21 +0000 (UTC) (envelope-from dan@slightlystrange.org) Received: by catflap.slightlystrange.org (Postfix, from userid 106) id 62ADD61A0; Thu, 21 Dec 2006 13:45:18 +0000 (GMT) Received: from [192.168.0.5] (brick.slightlystrange.org [192.168.0.5]) by catflap.slightlystrange.org (Postfix) with ESMTP id B5BC96167; Thu, 21 Dec 2006 13:45:17 +0000 (GMT) Message-ID: <458A8FEB.7090805@slightlystrange.org> Date: Thu, 21 Dec 2006 13:45:15 +0000 From: Daniel Bye User-Agent: Thunderbird 1.5.0.9 (X11/20061221) MIME-Version: 1.0 To: David Banning References: <20061221050424.GA94983@skytracker.ca> In-Reply-To: <20061221050424.GA94983@skytracker.ca> X-Enigmail-Version: 0.94.1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: questions@freebsd.org Subject: Re: question on hosts.allow X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Dec 2006 13:58:21 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 David Banning wrote: > I have been running denyhosts to stop attacks on my ssh port. > > The attacks continue after protection is put in place. > > Here is what I have in the tail of my /etc/hosts.allow > as per the installation instructions; > ------------------------- > ... > sshd : /etc/hosts.deniedssh : deny > sshd : ALL : allow > ------------------------- > > and in /etc/hosts.deniedssh I have; > > ------------------------- > sshd: 82.165.182.220 : deny > sshd: 200.52.90.100 : deny > ------------------------- This isn't quite right. This file should contain IP addresses, one per line, without any of the extraneous stuff - the `sshd' and `deny' bits are taken care of by the sshd : /etc/hosts.deniedssh : deny line in /etc/hosts.allow. (Effectively, with your current setup, your hosts.allow rules expand to something like this: sshd : sshd : 82.165.182.220 : deny : deny which doesn't make much sense!) At a guess, your BLOCK_SERVICE is set to something other than an empty value. It needs to be "BLOCK_SERVICE =" (without the quotes, of course...) to ensure that only offending IP addresses get written out to the auxiliary file. > > but I am still receiving attacks from the last IP address. So I am wondering > what program actually -reads- hosts.allow It should be read by anything that's built with tcpwrappers support. In this case, it would be sshd. > May be it has to be reset, or restarted? No, I don't think so. I would imagine the problem is the screwy syntax of your config. Try setting BLOCK_SERVICE in /usr/local/etc/denyhosts.conf, restart DenyHosts and see what happens... Dan -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFio/rixf5fBYiFmoRAqQGAJ9USWP47e9nC6ChfhL8BzdxX7tFRwCgvUA9 U/pe3iiTdjkKzBctcaAU50k= =QmiM -----END PGP SIGNATURE-----