question on hosts.allow

[Daniel Bye]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

David Banning wrote:
> I have been running denyhosts to stop attacks on my ssh port.
>
> The attacks continue after protection is put in place.
>
> Here is what I have in the tail of my /etc/hosts.allow
> as per the installation instructions;
> -------------------------
> ...<snip>
> sshd : /etc/hosts.deniedssh : deny
> sshd : ALL : allow
> -------------------------
>
> and in /etc/hosts.deniedssh I have;
>
> -------------------------
> sshd: 82.165.182.220 : deny
> sshd: 200.52.90.100 : deny
> -------------------------

This isn't quite right.  This file should contain IP addresses, one per
line, without any of the extraneous stuff - the `sshd' and `deny' bits
are taken care of by the

sshd : /etc/hosts.deniedssh : deny

line in /etc/hosts.allow.  (Effectively, with your current setup, your
hosts.allow rules expand to something like this:

sshd : sshd : 82.165.182.220 : deny : deny

which doesn't make much sense!)

At a guess, your BLOCK_SERVICE is set to something other than an empty
value.  It needs to be "BLOCK_SERVICE =" (without the quotes, of
course...) to ensure that only offending IP addresses get written out to
the auxiliary file.

>
> but I am still receiving attacks from the last IP address. So I am wondering
> what program actually -reads- hosts.allow

It should be read by anything that's built with tcpwrappers support.  In
this case, it would be sshd.

> May be it has to be reset, or restarted?

No, I don't think so.  I would imagine the problem is the screwy syntax
of your config.  Try setting BLOCK_SERVICE in
/usr/local/etc/denyhosts.conf, restart DenyHosts and see what happens...

Dan

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFio/rixf5fBYiFmoRAqQGAJ9USWP47e9nC6ChfhL8BzdxX7tFRwCgvUA9
U/pe3iiTdjkKzBctcaAU50k=
=QmiM
-----END PGP SIGNATURE-----