problems with hosts.deny and denyhosts - cannot get it to stop

[chillifire]

Dear All,

this one drives me nuts. I had denyhosts installed on my server (installed Perfect Ubuntu server 7.10 upgraded to 8.04, runnning ISPConfig) and is working well - to well in fact. My own IP address keeps being blocked, although I have entered it with ALL: a.b.c.d in hosts.allow and also into /var/lib/denyhosts/allowed-hosts
This is very annoying, as even just logging into my website may trigger this. Certain pages with mysql queries will set this off, ftping into the site with SmartFTP etc. Nothing like this happened beofre I installed denyhosts.

But now it gets weared. Even when I stop denyhosts with /etc/init.d/denyhosts stop my IP address will still be appended (yes, I checked there was no denyhosts process rung with ps aux | grep deny). I can even remove the package with apt-get remove denyhosts. The system will still keep appending my IP address.

Am I seeing ghosts? Is there something else that could update deny.hosts? (I do run monit, munin, snort, prelude and OSSEC on the server).

I just cannot get rid of this #@!@!#@!

Can anyone help?

Cheers

[falko]

What's the output of

Code:

ls -la /var/lib/denyhosts/

?

[chillifire]

As requested:

Code:

root@blackbird:~# ls -la /var/lib/denyhosts
total 12
drwxr-xr-x  2 root root 4096 May 26 09:36 .
drwxr-xr-x 35 root root 4096 May 25 22:56 ..
-rw-r--r--  1 root root  110 May 26 09:36 allowed-hosts

That's what is in it, my home's IP address (as received from my ICPs DHCP server), my public servers and the loopback - (have replaced numbers with letters to hide my addresses) :

Code:

root@blackbird:~# cat /var/lib/denyhosts/allowed-hosts
# allowed hosts not to be blocked
x.y.z.10
a.b.c.11
a.b.c.30
a.b.c.36
a.b.c.43
127.0.0.1

But why does it matter? Again, denyhosts is not running, but the x.y.z.10 address keeps being added with ALL: x.y.z.10 to /etc/hosts.deny, when I perform normal seemingly operations. For example, when I runn Smartftp on my PC and and try to transfer some data into a directory, whith no public write accesss, the server will give and access denied to me (what you would expect). Immediately my ip address is added to hosts.deny and the connection will be lost (wouldn't expect that without denyhosts running).

See, no denyhosts:

Code:

root@blackbird:~# ps aux |grep deny
root      5981  0.0  0.2   1796   536 pts/0    R+   05:54   0:00 grep deny

[falko]

Can you post the full output of

Code:

ps aux

?

Also, what's the output of

Code:

crontab -l

? Maybe DenyHosts is called by a cron job...

[chillifire]

ps aux

Code:

root         1  0.0  0.2   1920   532 ?        Ss   May26   0:00 /sbin/init
root         2  0.0  0.0      0     0 ?        S    May26   0:00 [migration/0]
root         3  0.0  0.0      0     0 ?        SN   May26   0:00 [ksoftirqd/0]
root         4  0.0  0.0      0     0 ?        S<   May26   0:00 [events/0]
root         5  0.0  0.0      0     0 ?        S<   May26   0:00 [khelper]
root         6  0.0  0.0      0     0 ?        S<   May26   0:00 [kthread]
root         7  0.0  0.0      0     0 ?        S<   May26   0:00 [xenwatch]
root         8  0.0  0.0      0     0 ?        S<   May26   0:00 [xenbus]
root        14  0.0  0.0      0     0 ?        S<   May26   0:00 [kblockd/0]
root        16  0.0  0.0      0     0 ?        S<   May26   0:00 [kseriod]
root        59  0.0  0.0      0     0 ?        S<   May26   0:00 [kswapd0]
root        60  0.0  0.0      0     0 ?        S<   May26   0:00 [aio/0]
root        61  0.0  0.0      0     0 ?        S<   May26   0:00 [xfslogd/0]
root        62  0.0  0.0      0     0 ?        S<   May26   0:00 [xfsdatad/0]
root       202  0.0  0.0      0     0 ?        S<   May26   0:00 [kjournald]
root       347  0.0  0.1   2236   348 ?        S<s  May26   0:00 /sbin/udevd --daemon
syslog    1119  0.0  0.2   1952   616 ?        Ss   May26   0:00 /sbin/syslogd -a /var/lib/named/dev/log -u syslog
root      1140  0.0  0.1   1888   420 ?        S    May26   0:00 /bin/dd bs 1 if /proc/kmsg of /var/run/klogd/kmsg
klog      1142  0.0  0.1   2152   384 ?        Ss   May26   0:00 /sbin/klogd -P /var/run/klogd/kmsg
ntp       1173  0.0  0.3   4136   912 ?        Ss   May26   0:00 /usr/sbin/ntpd -p /var/run/ntpd.pid -u 110:112 -g
root      1222  0.0  1.3   6888  3440 ?        Ss   May26   0:01 /usr/sbin/openvpn --writepid /var/run/openvpn.server.pid --daemon ovpn-server --cd /etc/open
root      1241  0.0  0.2   5328   632 ?        Ss   May26   0:00 /usr/sbin/sshd
root      1302  0.0  0.4   2784  1068 ?        S    May26   0:00 /bin/sh /usr/bin/mysqld_safe
mysql     1344  0.0  4.0 130572 10496 ?        Sl   May26   0:06 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql --pid-file=/var/run/my
root      1346  0.0  0.1   1712   472 ?        S    May26   0:00 logger -p daemon.err -t mysqld_safe -i -t mysqld
root      1413  0.0  0.1   1920   356 ?        S    May26   0:00 /usr/sbin/courierlogger -pid=/var/run/courier/authdaemon/pid -start /usr/lib/courier/courier
root      1414  0.0  0.1   2084   456 ?        S    May26   0:00 /usr/lib/courier/courier-authlib/authdaemond
root      1439  0.0  0.1   1920   284 ?        S    May26   0:00 /usr/sbin/courierlogger -pid=/var/run/courier/imapd.pid -start -name=imapd /usr/sbin/courier
root      1440  0.0  0.1   2024   464 ?        S    May26   0:00 /usr/sbin/couriertcpd -address=0 -maxprocs=40 -maxperip=20 -nodnslookup -noidentlookup 143 /
root      1461  0.0  0.1   1920   284 ?        S    May26   0:00 /usr/sbin/courierlogger -pid=/var/run/courier/imapd-ssl.pid -start -name=imapd-ssl /usr/sbin
root      1462  0.0  0.1   2020   464 ?        S    May26   0:00 /usr/sbin/couriertcpd -address=0 -maxprocs=40 -maxperip=20 -nodnslookup -noidentlookup 993 /
root      1466  0.0  0.2   2300   588 ?        S    May26   0:00 /usr/lib/courier/courier-authlib/authdaemond
root      1467  0.0  0.2   2300   588 ?        S    May26   0:00 /usr/lib/courier/courier-authlib/authdaemond
root      1468  0.0  0.2   2300   588 ?        S    May26   0:00 /usr/lib/courier/courier-authlib/authdaemond
root      1469  0.0  0.2   2300   588 ?        S    May26   0:00 /usr/lib/courier/courier-authlib/authdaemond
root      1470  0.0  0.2   2300   556 ?        S    May26   0:00 /usr/lib/courier/courier-authlib/authdaemond
root      1482  0.0  0.1   1920   428 ?        S    May26   0:00 /usr/sbin/courierlogger -pid=/var/run/courier/pop3d.pid -start -name=pop3d /usr/sbin/courier
root      1483  0.0  0.2   2024   540 ?        S    May26   0:00 /usr/sbin/couriertcpd -maxprocs=40 -maxperip=4 -nodnslookup -noidentlookup -address=0 110 /u
root      1504  0.0  0.1   1920   284 ?        S    May26   0:00 /usr/sbin/courierlogger -pid=/var/run/courier/pop3d-ssl.pid -start -name=pop3d-ssl /usr/sbin
root      1505  0.0  0.1   2024   464 ?        S    May26   0:00 /usr/sbin/couriertcpd -address=0 -maxprocs=40 -maxperip=4 -nodnslookup -noidentlookup 995 /u
ossecm    1539  0.0  0.5   3068  1416 ?        S    May26   0:00 /var/ossec/bin/ossec-maild
root      1543  0.0  0.1   1992   388 ?        S    May26   0:00 /var/ossec/bin/ossec-execd
ossec     1547  0.0  0.8  13124  2184 ?        Sl   May26   0:02 /var/ossec/bin/ossec-analysisd
root      1552  0.0  0.1   1864   432 ?        S    May26   0:00 /var/ossec/bin/ossec-logcollector
root      1556  0.0  0.3   2064   892 ?        S    May26   0:23 /var/ossec/bin/ossec-syscheckd
ossec     1560  0.0  0.2   2048   612 ?        S    May26   0:00 /var/ossec/bin/ossec-monitord
root      1693  0.0  0.1   7880   368 ?        Ss   May26   0:00 /usr/sbin/saslauthd -a pam -c -m /var/spool/postfix/var/run/saslauthd -r -n 5
root      1694  0.0  0.2   9036   776 ?        S    May26   0:00 /usr/sbin/saslauthd -a pam -c -m /var/spool/postfix/var/run/saslauthd -r -n 5
root      1695  0.0  0.0   7880    32 ?        S    May26   0:00 /usr/sbin/saslauthd -a pam -c -m /var/spool/postfix/var/run/saslauthd -r -n 5
root      1699  0.0  0.0   7880   164 ?        S    May26   0:00 /usr/sbin/saslauthd -a pam -c -m /var/spool/postfix/var/run/saslauthd -r -n 5
root      1700  0.0  0.0   7880   108 ?        S    May26   0:00 /usr/sbin/saslauthd -a pam -c -m /var/spool/postfix/var/run/saslauthd -r -n 5
root      1847  0.0  0.2   2116   748 ?        Ss   May26   0:00 /usr/sbin/cron
root      1927  0.0  1.0   6920  2772 ?        Ss   May26   0:00 /usr/sbin/munin-node
root      2105  0.0  0.3  14488   928 ?        Ss   May26   0:00 /root/ispconfig/httpd/bin/ispconfig_httpd -DSSL
root      2106  0.0  0.4   2812  1188 ?        S    May26   0:00 /bin/bash /root/ispconfig/sv/ispconfig_wconf
2003      2115  0.0  0.2  15176   616 ?        S    May26   0:00 /root/ispconfig/httpd/bin/ispconfig_httpd -DSSL
bind      2454  0.0  0.9  37560  2388 ?        Ssl  May26   0:00 /usr/sbin/named -u bind -t /var/lib/named
2003      2494  0.0  0.3   2924  1028 ?        Ss   May26   0:00 /home/admispconfig/ispconfig/tools/clamav/bin/freshclam -d -c 10 --datadir=/home/admispconfi
root      2500  0.0  0.5  28996  1440 ?        Sl   May26   0:01 /usr/sbin/monit -d 60 -c /etc/monit/monitrc -s /var/lib/monit/monit.state
root      2529  0.0  0.1   1728   432 tty1     Ss+  May26   0:00 /sbin/getty 38400 tty1
2003      5231  0.0  0.2  14956   624 ?        S    May26   0:00 /root/ispconfig/httpd/bin/ispconfig_httpd -DSSL
root      8644  0.0  1.3  43740  3484 ?        Ss   May26   0:00 /usr/sbin/apache2 -k start
root      8645  0.0  0.1   1772   472 ?        S    May26   0:00 /root/ispconfig/cronolog --symlink=/var/log/httpd/ispconfig_access_log /var/log/httpd/ispcon
root     12779  0.0  0.0      0     0 ?        S    May26   0:00 [pdflush]
root     21936  0.0  0.0      0     0 ?        S    May26   0:00 [pdflush]
root     19752  0.0  0.1  49284   388 ?        Ssl  May26   0:00 /usr/sbin/freeradius
www-data 31679  0.0  5.2  49480 13692 ?        S    May27   0:07 /usr/sbin/apache2 -k start
snort    11205  0.0 23.1 185124 60716 ?        Ssl  May27   0:07 /usr/sbin/snort -m 027 -D -d -l /var/log/snort -u snort -g snort -c /etc/snort/snort.conf -S
www-data 16886  0.0  6.0  49728 15968 ?        S    May27   0:07 /usr/sbin/apache2 -k start
www-data 22669  0.0  4.3  45520 11308 ?        S    May27   0:05 /usr/sbin/apache2 -k start
www-data 22671  0.0  5.6  48868 14928 ?        S    May27   0:05 /usr/sbin/apache2 -k start
www-data 19323  0.0  6.0  49696 15900 ?        S    May27   0:02 /usr/sbin/apache2 -k start
www-data 19324  0.0  5.6  49092 14856 ?        S    May27   0:02 /usr/sbin/apache2 -k start
www-data 20521  0.0  5.7  48860 15164 ?        S    May27   0:03 /usr/sbin/apache2 -k start
www-data  9852  0.0  4.0  44812 10716 ?        S    May27   0:01 /usr/sbin/apache2 -k start
proftpd   9980  0.0  0.6   9836  1612 ?        Ss   May27   0:00 proftpd: (accepting connections)
root     10051  0.0  0.6   5408  1760 ?        Ss   May27   0:00 /usr/lib/postfix/master
postfix  10063  0.0  0.6   5460  1804 ?        S    May27   0:00 qmgr -l -t fifo -u
postfix  10115  0.0  0.9   5784  2464 ?        S    May27   0:00 tlsmgr -l -t unix -u -c
www-data 18903  0.0  4.2  45500 11176 ?        S    01:06   0:01 /usr/sbin/apache2 -k start
postfix  12245  0.0  0.6   5420  1712 ?        S    04:44   0:00 pickup -l -t fifo -u -c
www-data 14595  0.0  3.7  44576  9788 ?        S    05:00   0:00 /usr/sbin/apache2 -k start
postfix  17060  0.0  1.2   6448  3252 ?        S    05:21   0:00 smtpd -n smtp -t inet -u -c -o stress  -s 2
root     19551  0.0  1.4  11364  3716 ?        Ss   05:43   0:00 sshd: root@pts/0
root     19555  0.0  0.6   2920  1628 pts/0    Ss   05:43   0:00 -bash
proftpd  19567  0.0  0.8   9836  2200 ?        S    05:43   0:00 proftpd: (accepting connections)
root     19571  0.0  0.2   1864   532 ?        S    05:44   0:00 sleep 10
root     19572  0.0  0.3   2380   920 pts/0    R+   05:44   0:00 ps aux

crontab-l

Code:

30 00 * * * /root/ispconfig/php/php /root/ispconfig/scripts/shell/logs.php &> /dev/null
59 23 * * * /root/ispconfig/php/php /root/ispconfig/scripts/shell/ftp_logs.php &> /dev/null
59 23 * * * /root/ispconfig/php/php /root/ispconfig/scripts/shell/mail_logs.php &> /dev/null
59 23 * * * /root/ispconfig/php/php /root/ispconfig/scripts/shell/cleanup.php &> /dev/null
0 4 * * * /root/ispconfig/php/php /root/ispconfig/scripts/shell/webalizer.php &> /dev/null
0,30 * * * * /root/ispconfig/php/php /root/ispconfig/scripts/shell/check_services.php &> /dev/null
15 3,15 * * * /root/ispconfig/php/php /root/ispconfig/scripts/shell/quota_msg.php &> /dev/null
40 00 * * * /root/ispconfig/php/php /root/ispconfig/scripts/shell/traffic.php &> /dev/null
05 02 * * * /root/ispconfig/php/php /root/ispconfig/scripts/shell/backup.php &> /dev/null
0 4 * * * /root/ispconfig/php/php /root/ispconfig/scripts/shell/awstats.php &> /dev/null

BTW, the behavior persists agter rebooting.

Could something else be updating hosts.deny, OSSEC, prelude, snort, prewikka perhaps?

[falko]

The outputs look ok.

Quote:

Originally Posted by chillifire

Could something else be updating hosts.deny, OSSEC, prelude, snort, prewikka perhaps?

Yes, that's possible.

[chillifire]

The active-repsonse module of OSSEC was switched on, which amongst other things adds host IP addresses to hosts.deny. The problem vas solved by adding the relevant host IPs to /var/ossec/etc/ossec.conf as memebrs of the 'white list'. Problem solved