[opensuse] tcpwrappers /etc/hosts.deny rules
Hello list, In an attempt minimize ssh brute force attacks, I deployed denyhosts ( http://denyhosts.sf.net ) some time ago on a openSUSE 10.2 server. It's working perfectly, and I am very pleased with it. Now I want to take denyhosts out of daemon mode, and only be executed upon ssh connection attempts. I found generous amount of documentation on how to do this, and denyhosts FAQ even links to a (now defunct) website explaining how to do it. The information is equivalent to what can be found at http://gentoo-wiki.com/HOWTO_Protect_SSHD_with_DenyHosts#Alternative_Configu... This is were I run into troubles. According to http://linux.about.com/od/commands/l/blcmdl5_hostsde.htm under the "Patterns" section: "A string that begins with a `/' character is treated as a file name. A host name or address is matched if it matches any host name or address pattern listed in the named file." ...which seems to support the aforementioned configuration options. The thing is, I cant get it to work. Not the file option, nor the spawn setting. Infact, this simple test case fails: --- /etc/hosts.deny: sshd: /etc/sshd.deny /etc/sshd.deny: sshd: 10.0.0.3 --- I also tried various other formats for /etc/sshd.deny, such as whitespace seperated, as suggested by the about.com article. If i place "sshd: 10.0.0.3" directly in hosts.deny, it works. Any ideas ? Best regards Sylvester Lykkehus -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 2008-04-10 11:56, Sylvester Lykkehus wrote:
Hello list,
<snip>
Now I want to take denyhosts out of daemon mode, and only be executed upon ssh connection attempts. I found generous amount of documentation on how to do this, and denyhosts FAQ even links to a (now defunct) website explaining how to do it.
<snip>
Maybe it would make sense to include what I have actually tried: denyhosts 2.6 installed from network:/utilities repo --- /usr/share/denyhosts/denyhosts.cfg: HOSTS_DENY = /etc/hosts.denyhosts /etc/hosts.deny: sshd: /etc/hosts.denyhosts sshd:ALL:spawn python /usr/bin/denyhosts.py -c /usr/share/denyhosts/denyhosts.cfg: allow /etc/hosts.denyhosts (created by running the command as in the spawn rule above): sshd: xx.xx.xx.xx sshd: xx.xx.xx.xx etc... ---
Best regards Sylvester Lykkehus
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Sylvester Lykkehus wrote:
Hello list,
In an attempt minimize ssh brute force attacks, I deployed denyhosts ( http://denyhosts.sf.net ) some time ago on a openSUSE 10.2 server. It's working perfectly, and I am very pleased with it.
Now I want to take denyhosts out of daemon mode, and only be executed upon ssh connection attempts.
Deamons only get CPU cycles when they need to run. By reconfiguring it as you propose, you're going to be continually re-loading it every time it needs to execute, slowing down both overall system performance and network performance. Even being reloaded after getting swapped out to disk is faster than continually looking up the file's path and walking through the filesystem to load up the executable every time, as opposed to going directly to the correct blocks needed in a swap partition. Taking all of that into account, I would just leave things as they are since you're satisfied that it's working properly. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sat, Apr 12, 2008 at 2:44 AM, Sam Clemens wrote:
Sylvester Lykkehus wrote:
Hello list,
In an attempt minimize ssh brute force attacks, I deployed denyhosts ( http://denyhosts.sf.net ) some time ago on a openSUSE 10.2 server. It's working perfectly, and I am very pleased with it.
Now I want to take denyhosts out of daemon mode, and only be executed upon ssh connection attempts.
Deamons only get CPU cycles when they need to run.
By reconfiguring it as you propose, you're going to be continually re-loading it every time it needs to execute, slowing down both overall system performance and network performance. Even being reloaded after getting swapped out to disk is faster than continually looking up the file's path and walking through the filesystem to load up the executable every time, as opposed to going directly to the correct blocks needed in a swap partition.
Further, DenyHosts is a Python application that monitors the authentication logs and writes IPs to /etc/hosts.deny. This is not at all efficient, and easily outsmarted. Further it does not address clearing out the /etc/hosts.deny file as would be required sooner or later. A much better solution is use the rate limit of iptables, most easily implimented via shorewall but it can be done in suse firewall as well. Rate limiting works not only on ssh, but any port. After X attempts from a given IP within Y timeframe, subsequent attempts are dropped for Z time intervals. Its self healing, so someone who fat fingers the keyboard X times in a row has to wait, but it will not require manual action for the limit to clear. I use this to rate limit ssh, ftp, and Imap. http://blog.blackdown.de/2005/02/18/mitigating-ssh-brute-force-attacks-with-... - -- - ----------JSA--------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: http://getfiregpg.org iD8DBQFIAQ7bv7M3G5+2DLIRAib6AKCaXJMlu4R1MERiDNg4UQTxysJSGgCfT+zA ypvx/IUMJbxoAMJn+zX/h6E= =wbRZ -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 2008-04-12 11:44, Sam Clemens wrote:
Deamons only get CPU cycles when they need to run.
By reconfiguring it as you propose, you're going to be continually re-loading it every time it needs to execute, slowing down both overall system performance and network performance. Even being reloaded after getting swapped out to disk is faster than continually looking up the file's path and walking through the filesystem to load up the executable every time, as opposed to going directly to the correct blocks needed in a swap partition.
Taking all of that into account, I would just leave things as they are since you're satisfied that it's working properly.
The question was not so much about what's wrong with denyhosts, but rather why /etc/hosts.deny does not accept the format that is specified, ie. when '/' occurs at the first character in the pattern rule, it should 'load' that file. Don't take it the wrong way, I appreciate your explanation and insight, but I would rather like to know how to make tcpwrappers behave as I would expect. /Sylvester -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (3)
-
John Andersen
-
Sam Clemens
-
Sylvester Lykkehus