Ubuntu
ltsp package

Why would DenyHosts add LTSP clients IPs to /etc/hosts.deny?

Asked by Shahar Or

I've this issue with my LTSP setup, where I've DenyHosts set up to protect the server because it is also internet facing (the ssh port) and the IP of the client (there's currently only one client) on the LAN keeps getting written in /etc/hosts.deny.

I've worked around this by adding it to /etc/hosts.allow (the whole subnet, actually) but this is not tested yet and it is only a workaround as I do want DenyHosts to work inside the LAN and this may be a bug.

Is there anything in how LTSP behaves that could cause failed authentications repeatedly thus being added by DenyHosts to /etc/hosts.deny?

This is precise 12.04 up-to-date.

Thanks
Shahar

Question information

Language:
English Edit question
Status:
Answered
For:
Ubuntu ltsp Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
Thomas Krüger (thkrueger) said : 		#1

There is fail2ban, it will block hosts in the firewall, which is far more efficiant.

Revision history for this message
Shahar Or (mightyiam) said : 		#2

Do you suggest that there may be a bug in DenyHosts?

Revision history for this message
Thomas Krüger (thkrueger) said : 		#3

There are some disadvantages of the deny files. For example there are services which do not use PAM for authentication and therefore ignore these files. These services will still be accessable. Also a possible attacker could still run other attacks than brute force on the service. My using the firewall an IP can be blocked completely and a continueing attack will only require minimal system ressources in contrast to application handling, where it can cause a DoS easily.

Revision history for this message
Shahar Or (mightyiam) said : 		#4

That is nice, Thomas. I appreciate it. And it may solve the issue for me in case that this is a bug somewhere in DenyHosts. But if this is a bug in DenyHosts I would like to report it.

And if this is a bug in LTSP in some way, then perhaps it would not help to switch to fail2ban.

I'll try.

Thanks,
Shahar

Can you help with this problem?

Provide an answer of your own, or ask Shahar Or for more information if necessary.

To post a message you must log in.