Locked out by denyhosts?

[guyran]

I fear I have committed the irreparable after installing denyhosts and then attempting to tighten up access by limiting it to certain computers on my LAN. I'm not sure if it is this program or a misconfiguration of the sshd_config file that has caused me to have only the

connection refused

message when attempting to log back in.

I have a feeling that it was the restart of the ssh daemon after modifying the config file that has somehow not succeeded as I am getting the classic

connection refused

message on port 22. However, the only significant change I made to the sshd config file was to add two lines of

ListenAddress

with the local LAN IPs of my two computers. I also added root to

DenyUsers

.

I tried modifying the rights of a second user to allow ssh login via the Web interface, but on attempting a login from the allowed computers, the connection is still refused.

For the moment my B3 is still running normally except that I can't see the syslog file - hoping that it might tell me if the ssh daemon had restarted correctly. I have not tried rebooting the B3 so far as I am not sure that it will do any good if I have misconfigured the ssh service.

I would be grateful if someone more knowledgeable than me could suggest how to regain access to my Bubba box.

[Binkem]

Try booting your B3 using a USB-install image set to rescue mode. Then you should be able to remove the offending lines from your Denyhosts config

[Gordon]

ListenAddress does not define *from* which IP you can connect but *to* which IP you can connect. What you did is assign an address that is non-local and to which sshd can therefore not bind itself.

A possible fix would be to change the IP address of the B3 so that it matches one of the ListenAdress entries you defined in sshd_config. I can't be sure that this will give you instant access because most likely sshd needs to be restarted and this may or may not be pulled in as a dependency when changing the IP - if you can, good, otherwise reboot.

[oliver]

This is what I would do, too. Mostly you can get access when changing your clients IP-Adress. Thats my experience.

Hope that helps !

Regards

Oliver

[guyran]

Thanks to Binkem for his suggestion, but in spite of following the advice about using the Rescu system image to access my B3 via a USB stick, I was puzzled to find that the sshd_config file which I had modified and seems to be causing the blockage only appears as a hard link to /etc/bubba/sshd_config but I couldn't find it. Does this point to another partition?
In spite of removing the denyhosts executable in /etc/init.d to stop it working, I am still locked out.
So I shall try Gordon's suggestion of reassigning the IP of my server and changing that of my client computer.
Will keep you posted.

Update : finally managed to fix my lockout problem thanks to Gordon. As soon as I switched to one of the listed IPs in the ListenAddress line of sshd_config, I got access from another client. I have since removed denyhosts altogether as I was concerned that it kept putting back one of my fixed IP clients into the hosts.deny file. I was also concerned that this file was growing at an alarming rate, which I suppose shows that denyhosts was doing its work, but I have since found another port blocker fail2ban which looks as if it blocks more than port 22. But this could be a subject for another discussion.
Many thanks again for the quick responses from this forum.
cheers, Guy

[Ubi]

why don't you just add an ALLOW rule on top of hosts.deny to whitelist your IP? It's in the manual...

[Gordon]

why don't you just add an ALLOW rule on top of hosts.deny to whitelist your IP? It's in the manual...

Why not just use the firewall? I've actually been thinking of doing something like this myself - not for LAN connections but when I'm someplace else. The challenge in this is that I cannot know before what IP I will be on, so I need a mechanism to toggle on and off.

The trick would consist of a web portal, shielded by an x509 personal key, that can probe my origin IP and dynamically add it to a list of trusted IP's (and remove!).

[Ubi]

that sounds indeed cool, but maybe more for a linux-guru as yourself, but maybe not for the general noob . I use d to like denyhosts as it kept the dictionary attacks out. Then I moved the SSH port and all my troubles went away. Moving the port trumps all.

[Gordon]

that sounds indeed cool, but maybe more for a linux-guru as yourself, but maybe not for the general noob . I use d to like denyhosts as it kept the dictionary attacks out. Then I moved the SSH port and all my troubles went away. Moving the port trumps all.

Actually, it's not really that hard to do. The certificate part just adds additional safety to certain webfolders; if you're comfortable with the standard safety of the admin pages you can just leave it as is.

Next step would be to add a page to Bubba admin, which can be published as a patch file. There's some things I need to figure out for this, but that would be of no concern for someone following the cookbook later. There are two additional packages you need: xtables-addons and ipset. The xtables-addons provide additional functions and targets to the iptables command, including the ipset match which is a simple method of maintaining a list of IP addresses. It is also supported by Shorewall

[Ubi]

It's difficult enough that a pro like hasn't managed to get it going yet

[Gordon]

It's difficult enough that a pro like hasn't managed to get it going yet

The professional is having some issues finding enough time for everything he wants to do

[Ubi]

sounds familiar