problems with hosts.deny and denyhosts - cannot get it to stop

Discussion in 'HOWTO-Related Questions' started by chillifire, May 25, 2008.

  1. chillifire

    chillifire New Member

    Dear All,

    this one drives me nuts. I had denyhosts installed on my server (installed Perfect Ubuntu server 7.10 upgraded to 8.04, runnning ISPConfig) and is working well - to well in fact. My own IP address keeps being blocked, although I have entered it with ALL: a.b.c.d in hosts.allow and also into /var/lib/denyhosts/allowed-hosts
    This is very annoying, as even just logging into my website may trigger this. Certain pages with mysql queries will set this off, ftping into the site with SmartFTP etc. Nothing like this happened beofre I installed denyhosts.

    But now it gets weared. Even when I stop denyhosts with /etc/init.d/denyhosts stop my IP address will still be appended (yes, I checked there was no denyhosts process rung with ps aux | grep deny). I can even remove the package with apt-get remove denyhosts. The system will still keep appending my IP address.

    Am I seeing ghosts? Is there something else that could update deny.hosts? (I do run monit, munin, snort, prelude and OSSEC on the server).

    I just cannot get rid of this #@!@!#@!

    Can anyone help?

    Cheers
     
  2. falko

    falko Super Moderator

    What's the output of
    Code:
    ls -la /var/lib/denyhosts/
    ?
     
  3. chillifire

    chillifire New Member

    Output as requested

    As requested:

    Code:
    root@blackbird:~# ls -la /var/lib/denyhosts
    total 12
    drwxr-xr-x  2 root root 4096 May 26 09:36 .
    drwxr-xr-x 35 root root 4096 May 25 22:56 ..
    -rw-r--r--  1 root root  110 May 26 09:36 allowed-hosts
    That's what is in it, my home's IP address (as received from my ICPs DHCP server), my public servers and the loopback - (have replaced numbers with letters to hide my addresses) :) :
    Code:
    root@blackbird:~# cat /var/lib/denyhosts/allowed-hosts
    # allowed hosts not to be blocked
    x.y.z.10
    a.b.c.11
    a.b.c.30
    a.b.c.36
    a.b.c.43
    127.0.0.1
    But why does it matter? Again, denyhosts is not running, but the x.y.z.10 address keeps being added with ALL: x.y.z.10 to /etc/hosts.deny, when I perform normal seemingly operations. For example, when I runn Smartftp on my PC and and try to transfer some data into a directory, whith no public write accesss, the server will give and access denied to me (what you would expect). Immediately my ip address is added to hosts.deny and the connection will be lost (wouldn't expect that without denyhosts running).

    See, no denyhosts:
    Code:
    root@blackbird:~# ps aux |grep deny
    root      5981  0.0  0.2   1796   536 pts/0    R+   05:54   0:00 grep deny
     
    Last edited: May 26, 2008
  4. falko

    falko Super Moderator

    Can you post the full output of
    Code:
    ps aux
    ?

    Also, what's the output of
    Code:
    crontab -l
    ? Maybe DenyHosts is called by a cron job...
     
  5. chillifire

    chillifire New Member

    Output as requested

    ps aux
    Code:
    root         1  0.0  0.2   1920   532 ?        Ss   May26   0:00 /sbin/init
    root         2  0.0  0.0      0     0 ?        S    May26   0:00 [migration/0]
    root         3  0.0  0.0      0     0 ?        SN   May26   0:00 [ksoftirqd/0]
    root         4  0.0  0.0      0     0 ?        S<   May26   0:00 [events/0]
    root         5  0.0  0.0      0     0 ?        S<   May26   0:00 [khelper]
    root         6  0.0  0.0      0     0 ?        S<   May26   0:00 [kthread]
    root         7  0.0  0.0      0     0 ?        S<   May26   0:00 [xenwatch]
    root         8  0.0  0.0      0     0 ?        S<   May26   0:00 [xenbus]
    root        14  0.0  0.0      0     0 ?        S<   May26   0:00 [kblockd/0]
    root        16  0.0  0.0      0     0 ?        S<   May26   0:00 [kseriod]
    root        59  0.0  0.0      0     0 ?        S<   May26   0:00 [kswapd0]
    root        60  0.0  0.0      0     0 ?        S<   May26   0:00 [aio/0]
    root        61  0.0  0.0      0     0 ?        S<   May26   0:00 [xfslogd/0]
    root        62  0.0  0.0      0     0 ?        S<   May26   0:00 [xfsdatad/0]
    root       202  0.0  0.0      0     0 ?        S<   May26   0:00 [kjournald]
    root       347  0.0  0.1   2236   348 ?        S<s  May26   0:00 /sbin/udevd --daemon
    syslog    1119  0.0  0.2   1952   616 ?        Ss   May26   0:00 /sbin/syslogd -a /var/lib/named/dev/log -u syslog
    root      1140  0.0  0.1   1888   420 ?        S    May26   0:00 /bin/dd bs 1 if /proc/kmsg of /var/run/klogd/kmsg
    klog      1142  0.0  0.1   2152   384 ?        Ss   May26   0:00 /sbin/klogd -P /var/run/klogd/kmsg
    ntp       1173  0.0  0.3   4136   912 ?        Ss   May26   0:00 /usr/sbin/ntpd -p /var/run/ntpd.pid -u 110:112 -g
    root      1222  0.0  1.3   6888  3440 ?        Ss   May26   0:01 /usr/sbin/openvpn --writepid /var/run/openvpn.server.pid --daemon ovpn-server --cd /etc/open
    root      1241  0.0  0.2   5328   632 ?        Ss   May26   0:00 /usr/sbin/sshd
    root      1302  0.0  0.4   2784  1068 ?        S    May26   0:00 /bin/sh /usr/bin/mysqld_safe
    mysql     1344  0.0  4.0 130572 10496 ?        Sl   May26   0:06 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql --pid-file=/var/run/my
    root      1346  0.0  0.1   1712   472 ?        S    May26   0:00 logger -p daemon.err -t mysqld_safe -i -t mysqld
    root      1413  0.0  0.1   1920   356 ?        S    May26   0:00 /usr/sbin/courierlogger -pid=/var/run/courier/authdaemon/pid -start /usr/lib/courier/courier
    root      1414  0.0  0.1   2084   456 ?        S    May26   0:00 /usr/lib/courier/courier-authlib/authdaemond
    root      1439  0.0  0.1   1920   284 ?        S    May26   0:00 /usr/sbin/courierlogger -pid=/var/run/courier/imapd.pid -start -name=imapd /usr/sbin/courier
    root      1440  0.0  0.1   2024   464 ?        S    May26   0:00 /usr/sbin/couriertcpd -address=0 -maxprocs=40 -maxperip=20 -nodnslookup -noidentlookup 143 /
    root      1461  0.0  0.1   1920   284 ?        S    May26   0:00 /usr/sbin/courierlogger -pid=/var/run/courier/imapd-ssl.pid -start -name=imapd-ssl /usr/sbin
    root      1462  0.0  0.1   2020   464 ?        S    May26   0:00 /usr/sbin/couriertcpd -address=0 -maxprocs=40 -maxperip=20 -nodnslookup -noidentlookup 993 /
    root      1466  0.0  0.2   2300   588 ?        S    May26   0:00 /usr/lib/courier/courier-authlib/authdaemond
    root      1467  0.0  0.2   2300   588 ?        S    May26   0:00 /usr/lib/courier/courier-authlib/authdaemond
    root      1468  0.0  0.2   2300   588 ?        S    May26   0:00 /usr/lib/courier/courier-authlib/authdaemond
    root      1469  0.0  0.2   2300   588 ?        S    May26   0:00 /usr/lib/courier/courier-authlib/authdaemond
    root      1470  0.0  0.2   2300   556 ?        S    May26   0:00 /usr/lib/courier/courier-authlib/authdaemond
    root      1482  0.0  0.1   1920   428 ?        S    May26   0:00 /usr/sbin/courierlogger -pid=/var/run/courier/pop3d.pid -start -name=pop3d /usr/sbin/courier
    root      1483  0.0  0.2   2024   540 ?        S    May26   0:00 /usr/sbin/couriertcpd -maxprocs=40 -maxperip=4 -nodnslookup -noidentlookup -address=0 110 /u
    root      1504  0.0  0.1   1920   284 ?        S    May26   0:00 /usr/sbin/courierlogger -pid=/var/run/courier/pop3d-ssl.pid -start -name=pop3d-ssl /usr/sbin
    root      1505  0.0  0.1   2024   464 ?        S    May26   0:00 /usr/sbin/couriertcpd -address=0 -maxprocs=40 -maxperip=4 -nodnslookup -noidentlookup 995 /u
    ossecm    1539  0.0  0.5   3068  1416 ?        S    May26   0:00 /var/ossec/bin/ossec-maild
    root      1543  0.0  0.1   1992   388 ?        S    May26   0:00 /var/ossec/bin/ossec-execd
    ossec     1547  0.0  0.8  13124  2184 ?        Sl   May26   0:02 /var/ossec/bin/ossec-analysisd
    root      1552  0.0  0.1   1864   432 ?        S    May26   0:00 /var/ossec/bin/ossec-logcollector
    root      1556  0.0  0.3   2064   892 ?        S    May26   0:23 /var/ossec/bin/ossec-syscheckd
    ossec     1560  0.0  0.2   2048   612 ?        S    May26   0:00 /var/ossec/bin/ossec-monitord
    root      1693  0.0  0.1   7880   368 ?        Ss   May26   0:00 /usr/sbin/saslauthd -a pam -c -m /var/spool/postfix/var/run/saslauthd -r -n 5
    root      1694  0.0  0.2   9036   776 ?        S    May26   0:00 /usr/sbin/saslauthd -a pam -c -m /var/spool/postfix/var/run/saslauthd -r -n 5
    root      1695  0.0  0.0   7880    32 ?        S    May26   0:00 /usr/sbin/saslauthd -a pam -c -m /var/spool/postfix/var/run/saslauthd -r -n 5
    root      1699  0.0  0.0   7880   164 ?        S    May26   0:00 /usr/sbin/saslauthd -a pam -c -m /var/spool/postfix/var/run/saslauthd -r -n 5
    root      1700  0.0  0.0   7880   108 ?        S    May26   0:00 /usr/sbin/saslauthd -a pam -c -m /var/spool/postfix/var/run/saslauthd -r -n 5
    root      1847  0.0  0.2   2116   748 ?        Ss   May26   0:00 /usr/sbin/cron
    root      1927  0.0  1.0   6920  2772 ?        Ss   May26   0:00 /usr/sbin/munin-node
    root      2105  0.0  0.3  14488   928 ?        Ss   May26   0:00 /root/ispconfig/httpd/bin/ispconfig_httpd -DSSL
    root      2106  0.0  0.4   2812  1188 ?        S    May26   0:00 /bin/bash /root/ispconfig/sv/ispconfig_wconf
    2003      2115  0.0  0.2  15176   616 ?        S    May26   0:00 /root/ispconfig/httpd/bin/ispconfig_httpd -DSSL
    bind      2454  0.0  0.9  37560  2388 ?        Ssl  May26   0:00 /usr/sbin/named -u bind -t /var/lib/named
    2003      2494  0.0  0.3   2924  1028 ?        Ss   May26   0:00 /home/admispconfig/ispconfig/tools/clamav/bin/freshclam -d -c 10 --datadir=/home/admispconfi
    root      2500  0.0  0.5  28996  1440 ?        Sl   May26   0:01 /usr/sbin/monit -d 60 -c /etc/monit/monitrc -s /var/lib/monit/monit.state
    root      2529  0.0  0.1   1728   432 tty1     Ss+  May26   0:00 /sbin/getty 38400 tty1
    2003      5231  0.0  0.2  14956   624 ?        S    May26   0:00 /root/ispconfig/httpd/bin/ispconfig_httpd -DSSL
    root      8644  0.0  1.3  43740  3484 ?        Ss   May26   0:00 /usr/sbin/apache2 -k start
    root      8645  0.0  0.1   1772   472 ?        S    May26   0:00 /root/ispconfig/cronolog --symlink=/var/log/httpd/ispconfig_access_log /var/log/httpd/ispcon
    root     12779  0.0  0.0      0     0 ?        S    May26   0:00 [pdflush]
    root     21936  0.0  0.0      0     0 ?        S    May26   0:00 [pdflush]
    root     19752  0.0  0.1  49284   388 ?        Ssl  May26   0:00 /usr/sbin/freeradius
    www-data 31679  0.0  5.2  49480 13692 ?        S    May27   0:07 /usr/sbin/apache2 -k start
    snort    11205  0.0 23.1 185124 60716 ?        Ssl  May27   0:07 /usr/sbin/snort -m 027 -D -d -l /var/log/snort -u snort -g snort -c /etc/snort/snort.conf -S
    www-data 16886  0.0  6.0  49728 15968 ?        S    May27   0:07 /usr/sbin/apache2 -k start
    www-data 22669  0.0  4.3  45520 11308 ?        S    May27   0:05 /usr/sbin/apache2 -k start
    www-data 22671  0.0  5.6  48868 14928 ?        S    May27   0:05 /usr/sbin/apache2 -k start
    www-data 19323  0.0  6.0  49696 15900 ?        S    May27   0:02 /usr/sbin/apache2 -k start
    www-data 19324  0.0  5.6  49092 14856 ?        S    May27   0:02 /usr/sbin/apache2 -k start
    www-data 20521  0.0  5.7  48860 15164 ?        S    May27   0:03 /usr/sbin/apache2 -k start
    www-data  9852  0.0  4.0  44812 10716 ?        S    May27   0:01 /usr/sbin/apache2 -k start
    proftpd   9980  0.0  0.6   9836  1612 ?        Ss   May27   0:00 proftpd: (accepting connections)
    root     10051  0.0  0.6   5408  1760 ?        Ss   May27   0:00 /usr/lib/postfix/master
    postfix  10063  0.0  0.6   5460  1804 ?        S    May27   0:00 qmgr -l -t fifo -u
    postfix  10115  0.0  0.9   5784  2464 ?        S    May27   0:00 tlsmgr -l -t unix -u -c
    www-data 18903  0.0  4.2  45500 11176 ?        S    01:06   0:01 /usr/sbin/apache2 -k start
    postfix  12245  0.0  0.6   5420  1712 ?        S    04:44   0:00 pickup -l -t fifo -u -c
    www-data 14595  0.0  3.7  44576  9788 ?        S    05:00   0:00 /usr/sbin/apache2 -k start
    postfix  17060  0.0  1.2   6448  3252 ?        S    05:21   0:00 smtpd -n smtp -t inet -u -c -o stress  -s 2
    root     19551  0.0  1.4  11364  3716 ?        Ss   05:43   0:00 sshd: root@pts/0
    root     19555  0.0  0.6   2920  1628 pts/0    Ss   05:43   0:00 -bash
    proftpd  19567  0.0  0.8   9836  2200 ?        S    05:43   0:00 proftpd: (accepting connections)
    root     19571  0.0  0.2   1864   532 ?        S    05:44   0:00 sleep 10
    root     19572  0.0  0.3   2380   920 pts/0    R+   05:44   0:00 ps aux
    
    crontab-l
    Code:
    30 00 * * * /root/ispconfig/php/php /root/ispconfig/scripts/shell/logs.php &> /dev/null
    59 23 * * * /root/ispconfig/php/php /root/ispconfig/scripts/shell/ftp_logs.php &> /dev/null
    59 23 * * * /root/ispconfig/php/php /root/ispconfig/scripts/shell/mail_logs.php &> /dev/null
    59 23 * * * /root/ispconfig/php/php /root/ispconfig/scripts/shell/cleanup.php &> /dev/null
    0 4 * * * /root/ispconfig/php/php /root/ispconfig/scripts/shell/webalizer.php &> /dev/null
    0,30 * * * * /root/ispconfig/php/php /root/ispconfig/scripts/shell/check_services.php &> /dev/null
    15 3,15 * * * /root/ispconfig/php/php /root/ispconfig/scripts/shell/quota_msg.php &> /dev/null
    40 00 * * * /root/ispconfig/php/php /root/ispconfig/scripts/shell/traffic.php &> /dev/null
    05 02 * * * /root/ispconfig/php/php /root/ispconfig/scripts/shell/backup.php &> /dev/null
    0 4 * * * /root/ispconfig/php/php /root/ispconfig/scripts/shell/awstats.php &> /dev/null
    
    BTW, the behavior persists agter rebooting.

    Could something else be updating hosts.deny, OSSEC, prelude, snort, prewikka perhaps?
     
  6. falko

    falko Super Moderator

    The outputs look ok.

    Yes, that's possible.
     
  7. chillifire

    chillifire New Member

    OSSEC was it

    The active-repsonse module of OSSEC was switched on, which amongst other things adds host IP addresses to hosts.deny. The problem vas solved by adding the relevant host IPs to /var/ossec/etc/ossec.conf as memebrs of the 'white list'. Problem solved
     

Share This Page