4

I'm running Ubuntu 13.10 (not LTS, I know...). I have denyhosts installed. I have /etc/hosts.deny and /etc/hosts.allow. I've added 2 IPs to hosts.allow (home + work). However, whenever I sign in from these IPs, I get an email telling me a suspicious sign-in occurred.

I've tried formatting my hosts.allow file in 2 different ways. Neither appear to work.

The first:

...
sshd: iii.i.i.iii : allow
sshd: iii.i.i.iii : allow

The second:

...
sshd: iii.i.i.iii
sshd: iii.i.i.iii

I don't know if this is related, but if i've noticed something I can't explain.

If I run

$ sudo service denyhosts restart
 * Stopping DenyHosts denyhosts                                                                                                                                                                                                                                        [ OK ] 
/etc/init.d/denyhosts: 44: test: /etc/hosts.deny: unexpected operator
 * Starting DenyHosts denyhosts

But if I search for an error in either hosts.deny or hosts.allow, can't find any:

sudo test -e /etc/hosts.allow
sudo test -e /etc/hosts.deny

And before I forget, my /etc/denyhosts.conf file :

...
# Most operating systems:
HOSTS_DENY = /etc/hosts.deny
#
# Some BSD (FreeBSD) Unixes:
HOSTS_DENY = /etc/hosts.allow
...

As the comment says, /etc/hosts.allow is apparently used on some BSD Unixes. Is this the problem? In some guides i've read for Ubuntu, apparently this is not.

EDIT:

The /etc/init.d/denyhosts file runs:

HOSTS_DENY=$(grep ^HOSTS_DENY $CONFIG  | cut -d = -f 2)

which in my case returns both hosts.allow and hosts.deny.

Abhijeet Kasurde
  • 985
  • 9
  • 20
Simon
  • 165
  • 1
  • 8
  • have you tried SSH'ing from a different IP (not those 2 allowed IPs) ? if it's blocked then it's possible that it's working as expected (you get a warning but you can still go through from your IPs) – LinuxDevOps Mar 28 '14 at 13:30
  • Hi yep. IPs not on the list are not being allowed to sign-in. So it's just the email issue I have to resolve. Thanks for the tip. – Simon Mar 28 '14 at 13:49
  • not sure why you are getting those warnings but if you want to disable the email warnings altogether, in the `denyhosts.cfg` file you can set `ADMIN_EMAIL=` – LinuxDevOps Mar 28 '14 at 14:36

3 Answers3

3

You have both of those uncommented, so it's leading me to believe that denyhosts is using /etc/hosts.allow. Comment out the second HOSTS_DENY line and restart denyhosts.

If you still get the emails, you need to add SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS = NO to your denyhosts.conf file. This requires DenyHosts 0.6 or higher. See this for details.

You'll also need to create an allowed-hosts file with your trusted IP addresses, one per line. This goes in the same folder defined by WORK_DIR in the configuration.

Nathan C
  • 14,901
  • 4
  • 42
  • 62
3

You need to comment out the HOSTS_DENY = /etc/hosts.allow line, since you are on Ubuntu and not on a BSD box.

Then, you need to understand how the hosts.(allow|deny) files are processed. Services which use these files always check hosts.allow before hosts.deny and stop at the first match. So, if you grant an IP address access in your hosts.allow file, access will be granted regardless of the contents of hosts.deny. You don't need to care if denyhosts adds further addresses to that file. The hosts.allow file basically allows you to whitelist IP addresses.

See the hosts_access(5) man page for further information.

Oliver
  • 5,883
  • 23
  • 32
1

Sometimes sshd is compiled without support for hosts.allow and hosts.deny (tcp-wrappers support). This happened on my install of Ubuntu 18.04 LTS. To check if your version of sshd supports it run the following:

  1. which sshd
  2. strings /usr/sbin/sshd | egrep 'hosts.(allow|deny)'

Line #1 above is to check where exactly sshd is installed (eg on my RedHat machine it was /sbin/sshd, whilst Ubuntu was /usr/sbin/sshd), so modify #2 accordingly.

Line #2 will have empty output if hosts.deny + hosts.allow is not supported. In that case you will want to download source from openssh.com and rebuild it:

./configure --with-libwrap 
make
sudo make install
Bastion
  • 127
  • 3