HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   HOWTO-Related Questions (http://www.howtoforge.com/forums/forumdisplay.php?f=2)
-   -   problems with hosts.deny and denyhosts - cannot get it to stop (http://www.howtoforge.com/forums/showthread.php?t=23594)

chillifire 25th May 2008 13:18

problems with hosts.deny and denyhosts - cannot get it to stop
 
Dear All,

this one drives me nuts. I had denyhosts installed on my server (installed Perfect Ubuntu server 7.10 upgraded to 8.04, runnning ISPConfig) and is working well - to well in fact. My own IP address keeps being blocked, although I have entered it with ALL: a.b.c.d in hosts.allow and also into /var/lib/denyhosts/allowed-hosts
This is very annoying, as even just logging into my website may trigger this. Certain pages with mysql queries will set this off, ftping into the site with SmartFTP etc. Nothing like this happened beofre I installed denyhosts.

But now it gets weared. Even when I stop denyhosts with /etc/init.d/denyhosts stop my IP address will still be appended (yes, I checked there was no denyhosts process rung with ps aux | grep deny). I can even remove the package with apt-get remove denyhosts. The system will still keep appending my IP address.

Am I seeing ghosts? Is there something else that could update deny.hosts? (I do run monit, munin, snort, prelude and OSSEC on the server).

I just cannot get rid of this #@!@!#@!

Can anyone help?

Cheers

falko 26th May 2008 15:32

What's the output of
Code:

ls -la /var/lib/denyhosts/
?

chillifire 26th May 2008 20:04

Output as requested
 
As requested:

Code:

root@blackbird:~# ls -la /var/lib/denyhosts
total 12
drwxr-xr-x  2 root root 4096 May 26 09:36 .
drwxr-xr-x 35 root root 4096 May 25 22:56 ..
-rw-r--r--  1 root root  110 May 26 09:36 allowed-hosts

That's what is in it, my home's IP address (as received from my ICPs DHCP server), my public servers and the loopback - (have replaced numbers with letters to hide my addresses) :) :
Code:

root@blackbird:~# cat /var/lib/denyhosts/allowed-hosts
# allowed hosts not to be blocked
x.y.z.10
a.b.c.11
a.b.c.30
a.b.c.36
a.b.c.43
127.0.0.1

But why does it matter? Again, denyhosts is not running, but the x.y.z.10 address keeps being added with ALL: x.y.z.10 to /etc/hosts.deny, when I perform normal seemingly operations. For example, when I runn Smartftp on my PC and and try to transfer some data into a directory, whith no public write accesss, the server will give and access denied to me (what you would expect). Immediately my ip address is added to hosts.deny and the connection will be lost (wouldn't expect that without denyhosts running).

See, no denyhosts:
Code:

root@blackbird:~# ps aux |grep deny
root      5981  0.0  0.2  1796  536 pts/0    R+  05:54  0:00 grep deny


falko 27th May 2008 18:00

Can you post the full output of
Code:

ps aux
?

Also, what's the output of
Code:

crontab -l
? Maybe DenyHosts is called by a cron job...

chillifire 27th May 2008 19:50

Output as requested
 
ps aux
Code:

root        1  0.0  0.2  1920  532 ?        Ss  May26  0:00 /sbin/init
root        2  0.0  0.0      0    0 ?        S    May26  0:00 [migration/0]
root        3  0.0  0.0      0    0 ?        SN  May26  0:00 [ksoftirqd/0]
root        4  0.0  0.0      0    0 ?        S<  May26  0:00 [events/0]
root        5  0.0  0.0      0    0 ?        S<  May26  0:00 [khelper]
root        6  0.0  0.0      0    0 ?        S<  May26  0:00 [kthread]
root        7  0.0  0.0      0    0 ?        S<  May26  0:00 [xenwatch]
root        8  0.0  0.0      0    0 ?        S<  May26  0:00 [xenbus]
root        14  0.0  0.0      0    0 ?        S<  May26  0:00 [kblockd/0]
root        16  0.0  0.0      0    0 ?        S<  May26  0:00 [kseriod]
root        59  0.0  0.0      0    0 ?        S<  May26  0:00 [kswapd0]
root        60  0.0  0.0      0    0 ?        S<  May26  0:00 [aio/0]
root        61  0.0  0.0      0    0 ?        S<  May26  0:00 [xfslogd/0]
root        62  0.0  0.0      0    0 ?        S<  May26  0:00 [xfsdatad/0]
root      202  0.0  0.0      0    0 ?        S<  May26  0:00 [kjournald]
root      347  0.0  0.1  2236  348 ?        S<s  May26  0:00 /sbin/udevd --daemon
syslog    1119  0.0  0.2  1952  616 ?        Ss  May26  0:00 /sbin/syslogd -a /var/lib/named/dev/log -u syslog
root      1140  0.0  0.1  1888  420 ?        S    May26  0:00 /bin/dd bs 1 if /proc/kmsg of /var/run/klogd/kmsg
klog      1142  0.0  0.1  2152  384 ?        Ss  May26  0:00 /sbin/klogd -P /var/run/klogd/kmsg
ntp      1173  0.0  0.3  4136  912 ?        Ss  May26  0:00 /usr/sbin/ntpd -p /var/run/ntpd.pid -u 110:112 -g
root      1222  0.0  1.3  6888  3440 ?        Ss  May26  0:01 /usr/sbin/openvpn --writepid /var/run/openvpn.server.pid --daemon ovpn-server --cd /etc/open
root      1241  0.0  0.2  5328  632 ?        Ss  May26  0:00 /usr/sbin/sshd
root      1302  0.0  0.4  2784  1068 ?        S    May26  0:00 /bin/sh /usr/bin/mysqld_safe
mysql    1344  0.0  4.0 130572 10496 ?        Sl  May26  0:06 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql --pid-file=/var/run/my
root      1346  0.0  0.1  1712  472 ?        S    May26  0:00 logger -p daemon.err -t mysqld_safe -i -t mysqld
root      1413  0.0  0.1  1920  356 ?        S    May26  0:00 /usr/sbin/courierlogger -pid=/var/run/courier/authdaemon/pid -start /usr/lib/courier/courier
root      1414  0.0  0.1  2084  456 ?        S    May26  0:00 /usr/lib/courier/courier-authlib/authdaemond
root      1439  0.0  0.1  1920  284 ?        S    May26  0:00 /usr/sbin/courierlogger -pid=/var/run/courier/imapd.pid -start -name=imapd /usr/sbin/courier
root      1440  0.0  0.1  2024  464 ?        S    May26  0:00 /usr/sbin/couriertcpd -address=0 -maxprocs=40 -maxperip=20 -nodnslookup -noidentlookup 143 /
root      1461  0.0  0.1  1920  284 ?        S    May26  0:00 /usr/sbin/courierlogger -pid=/var/run/courier/imapd-ssl.pid -start -name=imapd-ssl /usr/sbin
root      1462  0.0  0.1  2020  464 ?        S    May26  0:00 /usr/sbin/couriertcpd -address=0 -maxprocs=40 -maxperip=20 -nodnslookup -noidentlookup 993 /
root      1466  0.0  0.2  2300  588 ?        S    May26  0:00 /usr/lib/courier/courier-authlib/authdaemond
root      1467  0.0  0.2  2300  588 ?        S    May26  0:00 /usr/lib/courier/courier-authlib/authdaemond
root      1468  0.0  0.2  2300  588 ?        S    May26  0:00 /usr/lib/courier/courier-authlib/authdaemond
root      1469  0.0  0.2  2300  588 ?        S    May26  0:00 /usr/lib/courier/courier-authlib/authdaemond
root      1470  0.0  0.2  2300  556 ?        S    May26  0:00 /usr/lib/courier/courier-authlib/authdaemond
root      1482  0.0  0.1  1920  428 ?        S    May26  0:00 /usr/sbin/courierlogger -pid=/var/run/courier/pop3d.pid -start -name=pop3d /usr/sbin/courier
root      1483  0.0  0.2  2024  540 ?        S    May26  0:00 /usr/sbin/couriertcpd -maxprocs=40 -maxperip=4 -nodnslookup -noidentlookup -address=0 110 /u
root      1504  0.0  0.1  1920  284 ?        S    May26  0:00 /usr/sbin/courierlogger -pid=/var/run/courier/pop3d-ssl.pid -start -name=pop3d-ssl /usr/sbin
root      1505  0.0  0.1  2024  464 ?        S    May26  0:00 /usr/sbin/couriertcpd -address=0 -maxprocs=40 -maxperip=4 -nodnslookup -noidentlookup 995 /u
ossecm    1539  0.0  0.5  3068  1416 ?        S    May26  0:00 /var/ossec/bin/ossec-maild
root      1543  0.0  0.1  1992  388 ?        S    May26  0:00 /var/ossec/bin/ossec-execd
ossec    1547  0.0  0.8  13124  2184 ?        Sl  May26  0:02 /var/ossec/bin/ossec-analysisd
root      1552  0.0  0.1  1864  432 ?        S    May26  0:00 /var/ossec/bin/ossec-logcollector
root      1556  0.0  0.3  2064  892 ?        S    May26  0:23 /var/ossec/bin/ossec-syscheckd
ossec    1560  0.0  0.2  2048  612 ?        S    May26  0:00 /var/ossec/bin/ossec-monitord
root      1693  0.0  0.1  7880  368 ?        Ss  May26  0:00 /usr/sbin/saslauthd -a pam -c -m /var/spool/postfix/var/run/saslauthd -r -n 5
root      1694  0.0  0.2  9036  776 ?        S    May26  0:00 /usr/sbin/saslauthd -a pam -c -m /var/spool/postfix/var/run/saslauthd -r -n 5
root      1695  0.0  0.0  7880    32 ?        S    May26  0:00 /usr/sbin/saslauthd -a pam -c -m /var/spool/postfix/var/run/saslauthd -r -n 5
root      1699  0.0  0.0  7880  164 ?        S    May26  0:00 /usr/sbin/saslauthd -a pam -c -m /var/spool/postfix/var/run/saslauthd -r -n 5
root      1700  0.0  0.0  7880  108 ?        S    May26  0:00 /usr/sbin/saslauthd -a pam -c -m /var/spool/postfix/var/run/saslauthd -r -n 5
root      1847  0.0  0.2  2116  748 ?        Ss  May26  0:00 /usr/sbin/cron
root      1927  0.0  1.0  6920  2772 ?        Ss  May26  0:00 /usr/sbin/munin-node
root      2105  0.0  0.3  14488  928 ?        Ss  May26  0:00 /root/ispconfig/httpd/bin/ispconfig_httpd -DSSL
root      2106  0.0  0.4  2812  1188 ?        S    May26  0:00 /bin/bash /root/ispconfig/sv/ispconfig_wconf
2003      2115  0.0  0.2  15176  616 ?        S    May26  0:00 /root/ispconfig/httpd/bin/ispconfig_httpd -DSSL
bind      2454  0.0  0.9  37560  2388 ?        Ssl  May26  0:00 /usr/sbin/named -u bind -t /var/lib/named
2003      2494  0.0  0.3  2924  1028 ?        Ss  May26  0:00 /home/admispconfig/ispconfig/tools/clamav/bin/freshclam -d -c 10 --datadir=/home/admispconfi
root      2500  0.0  0.5  28996  1440 ?        Sl  May26  0:01 /usr/sbin/monit -d 60 -c /etc/monit/monitrc -s /var/lib/monit/monit.state
root      2529  0.0  0.1  1728  432 tty1    Ss+  May26  0:00 /sbin/getty 38400 tty1
2003      5231  0.0  0.2  14956  624 ?        S    May26  0:00 /root/ispconfig/httpd/bin/ispconfig_httpd -DSSL
root      8644  0.0  1.3  43740  3484 ?        Ss  May26  0:00 /usr/sbin/apache2 -k start
root      8645  0.0  0.1  1772  472 ?        S    May26  0:00 /root/ispconfig/cronolog --symlink=/var/log/httpd/ispconfig_access_log /var/log/httpd/ispcon
root    12779  0.0  0.0      0    0 ?        S    May26  0:00 [pdflush]
root    21936  0.0  0.0      0    0 ?        S    May26  0:00 [pdflush]
root    19752  0.0  0.1  49284  388 ?        Ssl  May26  0:00 /usr/sbin/freeradius
www-data 31679  0.0  5.2  49480 13692 ?        S    May27  0:07 /usr/sbin/apache2 -k start
snort    11205  0.0 23.1 185124 60716 ?        Ssl  May27  0:07 /usr/sbin/snort -m 027 -D -d -l /var/log/snort -u snort -g snort -c /etc/snort/snort.conf -S
www-data 16886  0.0  6.0  49728 15968 ?        S    May27  0:07 /usr/sbin/apache2 -k start
www-data 22669  0.0  4.3  45520 11308 ?        S    May27  0:05 /usr/sbin/apache2 -k start
www-data 22671  0.0  5.6  48868 14928 ?        S    May27  0:05 /usr/sbin/apache2 -k start
www-data 19323  0.0  6.0  49696 15900 ?        S    May27  0:02 /usr/sbin/apache2 -k start
www-data 19324  0.0  5.6  49092 14856 ?        S    May27  0:02 /usr/sbin/apache2 -k start
www-data 20521  0.0  5.7  48860 15164 ?        S    May27  0:03 /usr/sbin/apache2 -k start
www-data  9852  0.0  4.0  44812 10716 ?        S    May27  0:01 /usr/sbin/apache2 -k start
proftpd  9980  0.0  0.6  9836  1612 ?        Ss  May27  0:00 proftpd: (accepting connections)
root    10051  0.0  0.6  5408  1760 ?        Ss  May27  0:00 /usr/lib/postfix/master
postfix  10063  0.0  0.6  5460  1804 ?        S    May27  0:00 qmgr -l -t fifo -u
postfix  10115  0.0  0.9  5784  2464 ?        S    May27  0:00 tlsmgr -l -t unix -u -c
www-data 18903  0.0  4.2  45500 11176 ?        S    01:06  0:01 /usr/sbin/apache2 -k start
postfix  12245  0.0  0.6  5420  1712 ?        S    04:44  0:00 pickup -l -t fifo -u -c
www-data 14595  0.0  3.7  44576  9788 ?        S    05:00  0:00 /usr/sbin/apache2 -k start
postfix  17060  0.0  1.2  6448  3252 ?        S    05:21  0:00 smtpd -n smtp -t inet -u -c -o stress  -s 2
root    19551  0.0  1.4  11364  3716 ?        Ss  05:43  0:00 sshd: root@pts/0
root    19555  0.0  0.6  2920  1628 pts/0    Ss  05:43  0:00 -bash
proftpd  19567  0.0  0.8  9836  2200 ?        S    05:43  0:00 proftpd: (accepting connections)
root    19571  0.0  0.2  1864  532 ?        S    05:44  0:00 sleep 10
root    19572  0.0  0.3  2380  920 pts/0    R+  05:44  0:00 ps aux

crontab-l
Code:

30 00 * * * /root/ispconfig/php/php /root/ispconfig/scripts/shell/logs.php &> /dev/null
59 23 * * * /root/ispconfig/php/php /root/ispconfig/scripts/shell/ftp_logs.php &> /dev/null
59 23 * * * /root/ispconfig/php/php /root/ispconfig/scripts/shell/mail_logs.php &> /dev/null
59 23 * * * /root/ispconfig/php/php /root/ispconfig/scripts/shell/cleanup.php &> /dev/null
0 4 * * * /root/ispconfig/php/php /root/ispconfig/scripts/shell/webalizer.php &> /dev/null
0,30 * * * * /root/ispconfig/php/php /root/ispconfig/scripts/shell/check_services.php &> /dev/null
15 3,15 * * * /root/ispconfig/php/php /root/ispconfig/scripts/shell/quota_msg.php &> /dev/null
40 00 * * * /root/ispconfig/php/php /root/ispconfig/scripts/shell/traffic.php &> /dev/null
05 02 * * * /root/ispconfig/php/php /root/ispconfig/scripts/shell/backup.php &> /dev/null
0 4 * * * /root/ispconfig/php/php /root/ispconfig/scripts/shell/awstats.php &> /dev/null

BTW, the behavior persists agter rebooting.

Could something else be updating hosts.deny, OSSEC, prelude, snort, prewikka perhaps?

falko 28th May 2008 16:29

The outputs look ok.

Quote:

Originally Posted by chillifire (Post 127973)
Could something else be updating hosts.deny, OSSEC, prelude, snort, prewikka perhaps?

Yes, that's possible.

chillifire 1st June 2008 07:25

OSSEC was it
 
The active-repsonse module of OSSEC was switched on, which amongst other things adds host IP addresses to hosts.deny. The problem vas solved by adding the relevant host IPs to /var/ossec/etc/ossec.conf as memebrs of the 'white list'. Problem solved


All times are GMT +2. The time now is 20:04.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.