Bug#395535: the error is in the hosts.deny file
Hello, The error is in the hosts.deny file. It should be: ALL: ALL Not ALL: PARANOID The PARANOID client is described thusly in the man page (hosts_access): Matches any host whose name does not match its address. This means if the host is in the DNS server, it will happily connect. This apears that ssh is not paying attention to the hosts.deny file. This is probably not what you want. Jean -- Jean Robertson, McGill University (514) 398-8117 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#395535: version 1:4.3p2-5.1 works for me
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Greg Norris wrote: I just checked this using version 1:4.3p2-5.1 from sid, and it appears to be working as expected. [EMAIL PROTECTED] tail -2 /etc/hosts.deny ALL EXCEPT sshd: PARANOID sshd: 127.0.0.1 [EMAIL PROTECTED] ssh localhost ssh_exchange_identification: Connection closed by remote host After removing the bottom line from /etc/hosts.deny, I'm able to logon normally. yah, i understand how the test works, it's the version of ssh and the functionality i'm worried about. I have 1:4.3p2-5 on a production server, and just shoving a new version onto a live server is NOT something i really relish doing... Is there any update on the status of whether this is definitely broken in versions prior to 1:4.3p2-5.1 ? - -- Rob Munsch Solutions For Progress IT www.solutionsforprogress.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFSLwxBvBcJFK6xYURAmLzAJsHZuu3s0Swy8xgpw7pe12fGI1gxgCfZEiP Vfwe8YE/wBF9sDaPtUEbpzo= =VdYU -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#395535: Info received (version 1:4.3p2-5.1 works for me)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 By the by, these are production systems. Just install X from sid is not really a viable option. :) - -- Rob Munsch Solutions For Progress IT www.solutionsforprogress.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFSMcZBvBcJFK6xYURAklsAJ9u0ehCs2H2mTyUH0nYDUukaFrUPQCfVNhK wENGSo6be1FKTA2RygacdAM= =ukMn -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#395535: openssh-server: versions 1:4.3p2-3 and 1:4.3p2-5 work for me
Package: openssh-server Followup-For: Bug #395535 I've tried reproducing this with two versions (p2-3 and p2-5) of the openssh-server package, and the example provided by Greg Morris works fine with both versions. However, the original poster reported this not working (i.e. the connection was allowed instead of denied) with versions p2-2 and p2-5 when 127.0.0.1 was added to hosts.deny. Could this be just a matter of hosts.deny syntax? If I add a line to /etc/deny.hosts containing only the IP address 127.0.0.1 then connections from localhost are allowed through. If I change that line to ALL: 127.0.0.1 or sshd: 127.0.0.1 then ssh is denied the connection, as it should be. -- System Information: Debian Release: testing/unstable APT prefers testing APT policy: (500, 'testing'), (498, 'testing'), (200, 'stable'), (2, 'unstable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.4.26 Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Versions of packages openssh-server depends on: ii adduser 3.77 Add and remove users and groups ii debconf [debconf-2.0] 1.5.3 Debian configuration management sy ii dpkg 1.13.21package maintenance system for Deb ii libc6 2.3.6-15 GNU C Library: Shared libraries ii libcomerr21.38-2 common error description library ii libkrb53 1.4.3-4MIT Kerberos runtime libraries ii libpam-modules0.79-3 Pluggable Authentication Modules f ii libpam-runtime0.79-3 Runtime support for the PAM librar ii libpam0g 0.79-3 Pluggable Authentication Modules l ii libselinux1 1.30-1 SELinux shared libraries ii libssl0.9.8 0.9.8b-2 SSL shared libraries ii libwrap0 7.6.dbs-8 Wietse Venema's TCP wrappers libra ii openssh-client1:4.3p2-3 Secure shell client, an rlogin/rsh ii zlib1g1:1.2.3-13 compression library - runtime openssh-server recommends no packages. -- debconf information excluded -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#395535: Syntax
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Yes, i understand the hosts.deny syntax. Here's a sample of the file: ALL: 59.124.63.98 ALL: 61.187.78.23 sshd: 216.75.32.2 sshd: 222.122.56.141 ... I have something called DenyHosts which looks at auth.log, checks for X number of bogus login attempts, and adds offending IPs to hosts.deny. What first tipped me off to this not working was when i saw entries that DenyHosts had added an IP to hosts.deny - but auth.log still showed login attempts AFTER that timestamp. Anywhere from 5 minutes to a few hours later! So, i tried the localhost test, and it failed. I added ALL: 127.0.0.1 to hosts.deny, and tried ssh localhost as well as ssh 127.0.0.1 and both times, i get a login prompt. Thusly: - - wil-db-1:~# aptitude show openssh-server Package: openssh-server New: yes State: installed Automatically installed: yes Version: 1:4.3p2-5 - - wil-db-1:~# cat /etc/hosts.deny|grep 127.0.0.1 sshd: 127.0.0.1 wil-db-1:~# ssh 127.0.0.1 *** NOTICE TO USERS This computer system is the private property of Solutions for Progress, Inc., whether individual, corporate or government. It is for authorized use only. Users (authorized or unauthorized) have no explicit or implicit expectation of privacy. ... Password: - - Clearly it is not working as intended. Why, i dunno. I've upgraded it once and reinstalled it twice. I don't get it. Could there be something wrong with libwrap itself on my system? Silently failing? - -- Rob Munsch Solutions For Progress IT www.solutionsforprogress.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFSQbaBvBcJFK6xYURAqgkAJ9dxknsKdXZOt+lJVSWWkecT5KhnwCfYCf2 8HgnUicaGq1DwLEzifxwEa8= =/Rys -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#395535: Calling this off
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I was really sort of hoping someone would find similar behaviour. nuts. I will check around the affected servers and see what else they have in common. What's stranger is i was fairly certain that this was working correctly some time ago, but all current tests fail and the hosts.deny file grows yet connection attempts continue. (denyhosts is working correctly on other systems, so it's either not that, or it's a local config issue.. but i'm using the same config, so... aargh). thanks for your time. If this is still open if/when i find anything out i'll post it. - -- Rob Munsch Solutions For Progress IT www.solutionsforprogress.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFSQsWBvBcJFK6xYURAs5+AJsFnuy45NVozCHI+dIG84ZMdo//7QCfXzMR U6ruhsjshYlvM1E4pHt62VU= =U1dJ -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#395535:
Could you post a complete copy of /etc/hosts.deny as an attachment? I'm thinking that perhaps it contains a non-displayable character which is confusing libwrap... a long shot, admittedly, but I've seen this sort of thing in the past. Also, what platform is the affected server? signature.asc Description: Digital signature
Bug#395535: claim that ssh doesn't do tcpdwrap (Re: Bug#395535: Syntax)
On Wed, Nov 01, 2006 at 03:43:06PM -0500, Rob Munsch wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Yes, i understand the hosts.deny syntax. Here's a sample of the file: ALL: 59.124.63.98 ALL: 61.187.78.23 sshd: 216.75.32.2 sshd: 222.122.56.141 ... I have something called DenyHosts which looks at auth.log, checks for X number of bogus login attempts, and adds offending IPs to hosts.deny. What first tipped me off to this not working was when i saw entries that DenyHosts had added an IP to hosts.deny - but auth.log still showed login attempts AFTER that timestamp. Anywhere from 5 minutes to a few hours later! So, i tried the localhost test, and it failed. I added ALL: 127.0.0.1 to hosts.deny, and tried ssh localhost as well as ssh 127.0.0.1 and both times, i get a login prompt. Thusly: - - wil-db-1:~# aptitude show openssh-server Package: openssh-server New: yes State: installed Automatically installed: yes Version: 1:4.3p2-5 - - wil-db-1:~# cat /etc/hosts.deny|grep 127.0.0.1 sshd: 127.0.0.1 wil-db-1:~# ssh 127.0.0.1 Clearly it is not working as intended. Why, i dunno. I've upgraded it once and reinstalled it twice. I don't get it. Could there be something wrong with libwrap itself on my system? Silently failing? You do realize that /etc/hosts.allow is checked before hosts.deny? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#395535: claim that ssh doesn't do tcpdwrap (Re: Bug#395535: Syntax)
On Wed, Nov 01, 2006 at 05:00:16PM -0500, Rob Munsch wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Justin Pryzby wrote: You do realize that /etc/hosts.allow is checked before hosts.deny? yes, that's why i added my office's IP to hosts.allow before setting up denyhosts; otherwise nasty, nasty things would happen the first time someone screwed up their password 5 times :D that shouldn't allow localhost to ssh when there's a sshd: 127.0.0.1 in hosts.deny, however. If localhost is in hosts.allow, then tcpd will never deny it access, even if it is in hosts.deny. If removal of hosts.allow causes access to be denied (don't do this remotely), then stuff is working as it should. Justin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#395535: version 1:4.3p2-5.1 works for me
I just checked this using version 1:4.3p2-5.1 from sid, and it appears to be working as expected. [EMAIL PROTECTED] tail -2 /etc/hosts.deny ALL EXCEPT sshd: PARANOID sshd: 127.0.0.1 [EMAIL PROTECTED] ssh localhost ssh_exchange_identification: Connection closed by remote host After removing the bottom line from /etc/hosts.deny, I'm able to logon normally. signature.asc Description: Digital signature
Bug#395535: openssh-server does not seem to care about libwrap
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Package: openssh-server Version: 1:4.3p2-2 Despite being apparently linked against libwrap, the server is not honoring entries in hosts.deny. I tested this: added 127.0.0.1 to hosts.deny, ssh localhost, it allows the connection. I am using DenyHosts (which provided the above test suggestion). It automatically adds dictionary attackers and other jerks to hosts.deny, and it is currently ineffective. I did an strace on my ssh to localhost as well, and i don't see any queries to hosts.allow or .deny. - -- Rob Munsch Solutions For Progress IT www.solutionsforprogress.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFQjhnBvBcJFK6xYURAkGZAJ9rdRh/OmD0cXcRkRt4pibupsZgnQCgjnQ1 e3+Dl1WcrokOUhm3DwCIBqY= =aecc -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#395535: No effect: Upgraded to Version: 1:4.3p2-5
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Version: 1:4.3p2-5 Just in case, i upgraded openssh-server No effect, behaviour remains the same. - -- Rob Munsch Solutions For Progress IT www.solutionsforprogress.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFQj1PBvBcJFK6xYURAp64AJ4q6zbC0Rp84yv4Aqdcyh2aHL3qRACeM9h8 MwqKwRNR9zMGIRp2UozwLJ8= =zqFQ -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
