Find the answer to your Linux question:
Results 1 to 5 of 5
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1

    Question Problem with hosts.allow and hosts.deny files

    My VPS got bruteforce SSH attacks from China, so I installed denyhosts, but I don't know why it putted my ip to hosts.deny so I deleted it, and manually added ips to hosts.deny.
    My problem is following:
    Before I installed denyhosts I could login anywhere to my VPS but now I need to add ips to hosts.allow and that's difficult because sometimes I need to use 3G to connect to my VPS.
    So is there a way to use hosts.deny as blacklist and block only ips that are in blacklist instead of using hosts.allow file as whitelist?


  2. #2
    Linux Guru bigtomrodney's Avatar
    Join Date
    Nov 2004
    It's a messy and rather outdated way of doing things to be honest. You'd be better off considering some of the following:

    • Install fail2ban which will actively manage unauthorised access attempts such as brute forcing
    • Run SSH on a nonstandard port to avoid common discovery scripts
    • Consider using only key based authentication, denying all password-based attempts
    • Change the SSH banner to something less identifiable...doesn't really help but it's all about defense in in depth!

  3. #3
    Linux User
    Join Date
    Jun 2012
    SF Bay area
    I don't know "denyhosts" but from checking the Wikipedia entry it sounds like an alternative to "fail2ban", which is what I'm familiar with.

    Assuming it works similarly, the only way your IP would get blocked is if SSH requests from that IP failed enough times. So you'll need to figure out why your SSH connections are failing to really get to the bottom of this. In the meantime here's a couple of idea that might help.

    1. See if "denyhosts" lets you list IP's that should never be blocked even if SSH requests from them fail. If you have any IP's that are always the same, maybe a home Internet connection tends to be stable, then you can use that feature to make sure you can always get in.

    2. Maybe you could run another SSH server on an alternate port that would attract less attention from people running simplistic SSH invasion scripts. You'd have to make sure "denyhosts" was monitoring that alternate port too though since eventually at least some of the bad guys would find that one too.

    3. If you haven't already, DISABLE root logins via SSH since that's probably 90% of the attempts you get. And if the user is disabled, they simply can't login even if they switch IP's every time.

    4. Configure SSH so that it only allows authentication via SSH keys, meaning no user/password allowed. It won't stop the connections but stupid dictionary attacks trying to guess password will failing 100% of the time if you don't let people login with passwords.

    5. And if you are really over it and don't care if you block SSH access to users outside of the US, you could add permanent host based ACL's to do just that. Even if the IP's you use to connect to your VPS changes as you use different devices in different locations, you're never going to present an SSH request from another continent.

  4. $spacer_open
  5. #4
    Linux User
    Join Date
    Jun 2012
    SF Bay area
    Wow, I need to refresh before posting.

  6. #5
    Yes it is.
    But I can't connect to my VPS via SSH if it's ip isn't listed in hosts.allow, so I want to disable that feature and user only hosts.deny.

    I putted proftpd:ALL to hosts.allow file and ALL:twofirstparts.ofmobiledatamyip.* to hosts.allow file. Problem solved.
    Last edited by Cruckes; 08-02-2014 at 04:30 PM. Reason: Problem Solved

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts