Bug#395535: claim that ssh doesn't do tcpdwrap (Re: Bug#395535: Syntax)
On Wed, Nov 01, 2006 at 03:43:06PM -0500, Rob Munsch wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Yes, i understand the hosts.deny syntax. Here's a sample of the file:
>
> ALL: 59.124.63.98
> ALL: 61.187.78.23
>
> sshd: 216.75.32.2
> sshd: 222.122.56.141
>
> ...
>
> I have something called DenyHosts which looks at auth.log, checks for X
> number of bogus login attempts, and adds offending IPs to hosts.deny.
>
> What first tipped me off to this not working was when i saw entries that
> DenyHosts had added an IP to hosts.deny - but auth.log still showed
> login attempts AFTER that timestamp. Anywhere from 5 minutes to a few
> hours later!
>
> So, i tried the localhost test, and it failed. I added
>
> ALL: 127.0.0.1
>
> to hosts.deny, and tried
>
> ssh localhost
> as well as
> ssh 127.0.0.1
> and both times, i get a login prompt.
>
> Thusly:
>
> - -----
> wil-db-1:~# aptitude show openssh-server
> Package: openssh-server
> New: yes
> State: installed
> Automatically installed: yes
> Version: 1:4.3p2-5
>
> - -----
>
> wil-db-1:~# cat /etc/hosts.deny|grep 127.0.0.1
> sshd: 127.0.0.1
> wil-db-1:~# ssh 127.0.0.1
>
> Clearly it is not working as intended. Why, i dunno. I've upgraded it
> once and reinstalled it twice. I don't get it.
>
> Could there be something wrong with libwrap itself on my system?
> Silently failing?
You do realize that /etc/hosts.allow is checked before hosts.deny?
Reply to: