New user's registration have been closed due to high spamming and low trafic on this forum. Please contact forum admins directly if you need an account. Thanks !
I´m pretty new to this and would like some help. I installed deny hosts according to instructions on the excito wiki and now i get blocked from connecting via ssh from a computer in the same network as the B3. What can i do to access it?
Any help will be much appreciated!
*EDIT*
I managed to connect from my phone, tried to edit out the affected IP´s from hosts.deny but they mysteriously keep getting added. Can´t seem to shut down, restart or --purge either. This is feeling more like I should be taking this to the Deny Hosts forum instead...
I've had this problem also and been locked out of the B3. I've not found a way to stop it adding hosts on the local network except to get the login right every time!
If you do get locked out, the quickest fix is to take the client computer off DHCP and give it a different fixed 192.x.x.x address that is on your network. Point the DNS at the IP of your B3. That will let you get back in.
The quickest way to reduce the volume of hack attacks on your SSH port is to move it somewhere non-standard. Mine's up past port 1000 and I see one or two attempts per week. Also consider making access available by public key only and this will improve your security and peace of mind.
I've never been a big fan of denyhosts - particularly with headless systems! And obviously the only reason why you'd need it is when you have ssh exposed to the whole of an untrusted network (i.e. the internet), but why would you do that? If you have a single IP from which you require ssh access to your B3, just put that in your firewall. If you need "road-warrior" access (i.e. from any possible IP) then a good trick is to move ssh to a different port (you can also use the firewall to translate port 22 to some other port). A nice addition to this is to use the "recent" match of iptables to catch people attempting to access ssh and turn your B3 completely black for those offending IPs. A more advanced trick is to use "knocking" - this requires you to visit ("knock") a specific sequence of ports prior to accessing the actual port. There's a daemon that you can install for this, but you can also do it directly in iptables - either by using a chain of "recent" matches or (if you installed xtables-addons) the "pknock" match.
