0

information

I asked the same question in stackoverflow.com and was told that this would be a better place to ask. I'm running an Ubuntu Server 13.10. I can connect to it using SSH from any computer except my laptop (MacBook 2007, OSX 10.6.8). OpenSSH was installed using port.

When I try to connect to the server, it will always be added to the host.deny. Nevertheless it is possible to connect to the server of my university with denyhost active. When I'm connected to the university server, it is also possible to connect to mine using the same command.

/var/log/denyhosts:

2014-08-31 22:49:28,183 - denyhosts   : INFO     new denied hosts: ['xxx.xxx.xxx.xxx']
2014-08-31 22:49:28,183 - denyhosts   : INFO     new suspicious logins: ['username - xxx.xxx.xxx.xxx']
2014-08-31 22:49:58,283 - denyhosts   : INFO     new suspicious logins: ['username - xxx.xxx.xxx.xxx']

/etc/denyhosts.conf

SECURE_LOG = /var/log/auth.log
HOSTS_DENY = /etc/hosts.deny
PURGE_DENY = 1y
BLOCK_SERVICE  = sshd
DENY_THRESHOLD_INVALID = 5
DENY_THRESHOLD_VALID = 10
DENY_THRESHOLD_ROOT = 1
DENY_THRESHOLD_RESTRICTED = 1
WORK_DIR = /var/lib/denyhosts
SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES
HOSTNAME_LOOKUP=YES
LOCK_FILE = /run/denyhosts.pid
ADMIN_EMAIL = root@localhost
SMTP_HOST = localhost
SMTP_PORT = 25
SMTP_FROM = DenyHosts <nobody@localhost>
SMTP_SUBJECT = DenyHosts Report
AGE_RESET_VALID=5d
AGE_RESET_ROOT=25d
AGE_RESET_RESTRICTED=25d
AGE_RESET_INVALID=10d
DAEMON_LOG = /var/log/denyhosts
DAEMON_SLEEP = 30s
DAEMON_PURGE = 1h

question

What would cause such strange behaviour, and how can I fix it?

Community
  • 1
Poehli
  • 103
  • 3

1 Answers1

1

You can try to whitelist your IP:

sudo vi /etc/hosts.allow
Add (w/o quotes):  "sshd: 1.2.3.4"

Also, check the options in /etc/denyhosts.conf to see if there is anything you want to change.

You can also uninstall denyhosts if it's causing more harm than good (apt-get remove denyhosts), OR tweak the denyhosts.conf thresholds to be more relaxed.

EDIT: denyhosts' FAQ is one of the most comprehensive ones I've ever seen.

Giovanni Tirloni
  • 5,693
  • 3
  • 24
  • 49
  • 1
    One needs also to edit files in `/var/lib/denyhosts` to remove the host entry from Denyhosts. Also it is good to do the whitelisting also in denyhosts configuration. – Tero Kilkanen Sep 01 '14 at 11:42
  • Thanks, but this is not quite what I want to do. Adding to whitelist is a temporary solution for sure, but since it's an dynamic adress it'll change with the next restart of the router. And removing denyhosts... Maybe not ;) I like to have some security on my server ;) Updated the question with the denyhosts.conf – Poehli Sep 01 '14 at 12:13
  • denyhosts is a great idea, especially for Internet-facing servers but the idea of sharing a common blocklist may make you victim of your IP being reused for attacks and then you get later blocked out of your servers. I suggest disabling that and relying only on the thresholds and other features. – Giovanni Tirloni Sep 01 '14 at 13:25
  • Really? You both know it's open to the internet and still suggest it? Is denyhosts that overpowered? I mean I'm getting a lot of attacks from the outside, which denyhosts usually blocks pretty good. Is it a good idea then to only allow pub-/privkey connections instead? My password is strong, but I still fear, that hackers will get past it... – Poehli Sep 01 '14 at 17:37
  • It might be usually "overconfigured", I'd say. I wouldn't go down the path of disabling denyhosts in your case (here we've other solutions to mitigate these risks). Using only pub/privkey is a good idea. Using a non-default port is also a good idea (not against the determined hacker, but the mass-scan oportunist kind of script kiddie), but I think we're changing the scope of the question now. One final suggestion, enable maximum verbosity in denyhosts, check which rule is blocking you and tweak it. – Giovanni Tirloni Sep 01 '14 at 17:45
  • Now this is a good suggestion, I always like good logs, but where can increase the loglevel? – Poehli Sep 01 '14 at 18:05
  • http://denyhosts.sourceforge.net/faq.html#3_5 (also check this: http://serverfault.com/questions/148557/fail2ban-and-denyhosts-constantly-ban-me-on-ubuntu) – Giovanni Tirloni Sep 01 '14 at 18:34