2

Put another way, why doesn't denyhosts simply reference /etc/hosts.allow? Why does it have it's own file?

Some of the denyhosts tutorials you see instruct the user to add their management IPs to this file while neglecting to even mention /var/lib/denyhosts/allowed-hosts. Are these tutorials simply wrong? Or would this work as intended (i.e., would it prevent denyhosts from locking out the IPs added to /etc/hosts.allow)?

Patrick
  • 121
  • 1
  • 6

2 Answers2

1

/etc/hosts.allow and /etc/hosts.deny is used for TCP Wrappers and affects many services in different ways but its main aim is to do granular access control to key services

denyhosts is basically a bruteforce protection system that dynamically blocks attacking IP's is much simpler in its ACL its either completely blocked due to brute force attempts or its allowed (due to being on the allow list or a correct login without going over failure thresholds)

this ACL is too simple out of the box to put into hosts.allow/hosts.deny and denyhosts cant read hosts.allow or hosts.deny (yet)

also to note - denyhosts works at the firewall (IPtables) level, TCP Wrappers (hosts.allow/hosts.deny) sits behind the firewall so it makes more sense not to allow such bad requests through the firewall at all which would be required in order to use the TCP wrappers files.

for a bit more explanation on the differences of IPtables and TCP Wrappers, take a look at this question and answer on this site: What is the difference between securing a linux box using hosts.[allow|deny] vs iptables?

Community
  • 1
anthonysomerset
  • 3,983
  • 2
  • 20
  • 24
  • 1
    Err, denyhosts doesn't work at the firewall/IPtables level -- it works at the TCP wrappers level. See here: http://denyhosts.sourceforge.net/faq.html#1_5. Basically, when it finds a host that is violating its policies, it adds the offending host to /etc/hosts.deny. Specifically _"When DenyHosts determines that a given host has attempted to login using a non-existent user account a configurable number of attempts (this is known as the DENY_THRESHOLD_INVALID), DenyHosts will add that host to the /etc/hosts.deny file. This will prevent that host from contacting your sshd server again."_ – Patrick Jan 30 '14 at 20:36
  • My question was basically, "if it's going to BLACK LIST using TCP wrappers, why not WHITE LIST using the same functionality?" i.e., make it symmetric. – Patrick Jan 30 '14 at 20:38
0

OK, so I figured out the interaction between the two. Basically, while DenyHosts has no^ interaction whatsoever with /etc/hosts.allow, you can put your IP addresses in there to prevent DenyHosts from attempting to ban you.

The reason you can do this is that TCP wrappers will first check hosts.allow and, if you're in there, will stop checking hosts.deny (where you might have been placed by DenyHosts).

If you'd like to prevent DenyHosts from putting you there in the first place, simply add yourself to their private "allowed-hosts" file.

^ Unless of course, you're on a system such as FreeBSD that actually uses /etc/hosts.allow in lieu of /etc/hosts.deny, in which case you'd have to tell DenyHosts that so it looks there instead for banned entries.

Patrick
  • 121
  • 1
  • 6