Daniel Bye wrote:
On Thu, Sep 28, 2006 at 05:22:43PM +0100, Robin Becker wrote:
I'm trying to get denyhosts-2.5 to work in 6.0 and have inserted a line in
hosts.allow
ALL: xxx.myoffice.com : allow
sshd: /etc/hosts.deniedssh : deny
ALL: ALL : allow
but am finding that this causes my home ip to be denied even though I log
in with a pre-shared key.
sshd will still avail itself of libwrap's functionality /before/ the
client even has a chance to offer its key. Anyone who manages to get
a copy of your key will need also to satisfy your /etc/hosts.allow
rules before they can use it.
The /etc/hosts.deniedssh file is being created, but my home ip is not
present (it would be hard as I have a dynamically allocated one anyhow).
The hosts.deniedssh file contains entries like
.......
ALL : ALL : 61.219.xx.250 : deny : deny
which, clearly, is nonsense!
I am not writing this file, denyhosts is.
Make sure that denyhosts.cfg has a blank value for BLOCK_SERVICE and
that it points HOSTS_DENY to the right file. I guess that at least
is correct, though.
My BAD I have the value ALL for BLOCK_SERVICE, I suppose that's the
problem. I read further and it seems I do indeed need to set an empty
value. Thanks.
DenyHosts will then correctly record only the IP address of blocked
hosts, which will result in much saner rule expansions!
I have the same setup in 6.1 and it seems to work. But I still see messages
related to line 24 from that setup. Does denyhosts work properly?
I suspect it is not quite the same - check the BLOCK_SERVICE setting on
that machine.
You're probably right.
Check out the DenyHosts FAQ - it's very useful.
http://denyhosts.sourceforge.net/faq.html
And the FreeBSD hosts_options(5) man page as well, which, as I said
earlier, contains the full story on setting up your /etc/hosts.allow.
Thanks again.
--
Robin Becker
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
