denyhosts
in [Linux Networking]
|
From: Big Bill on 28 Mar 2010 09:47 Hi Ubuntu 8.04 desktop, LAMP,Firestarter,Denyhosts on a DMZ port of a router. 4 different Win and Linux stations on the LAN. Denyhosts does a great job except for one thing. I can't upload any file from the LAN to the server with FileZilla. The connection opens but the transfer is rejected. Then the address of the sending station on the lan is written in hosts.deny even if I have ALL: 192.168.2. in hosts.allow How can I set denyhosts to accept all actions from identified machines ? The other stations are used in the wood shop, the paint shop etc and I must UL/DL in order to use or save files to the server. I can also be on the road and need a file from the server. Thanks
From: Moe Trin on 28 Mar 2010 17:08 On Sun, 28 Mar 2010, in the Usenet newsgroup comp.os.linux.networking, in article <honmm5$t9$1(a)news.ett.com.ua>, Big Bill wrote: >Denyhosts does a great job In the eye of the beholder. I prefer to use a 'mostly closed' model (man 5 hosts_access) where the default is to block all, and only allow access from address ranges which I know. Thus, I have no need for these Self Denial Of Service applications like denyhosts, or the similar 'blockhosts', 'fail2ban' or 'blocksshd'. >except for one thing. > >I can't upload any file from the LAN to the server with FileZilla. The >connection opens but the transfer is rejected. Denyhosts is a log reader, and is being triggered by a bad login name or authentication used by FileZilla. The transfer being rejected is more likely to be a user/authentication/permission problem with the server, rather than a problem with denyhosts. >Then the address of the sending station on the lan is written in >hosts.deny even if I have ALL: 192.168.2. in hosts.allow Denyhosts doesn't look at hosts.allow - it looks at the logs. >How can I set denyhosts to accept all actions from identified machines ? Denyhosts doesn't seem to have a 'whitelist' (ignore) capability. Use a ``valid'' username when you're connecting. The problem could be the configuration of 'FileZilla' or the configuration of your file server. Look in the logs that 'denyhosts' is reading, and you should find what your server application is barfing about. >I can also be on the road and need a file from the server. That is a more difficult problem if you are being bothered by every zombie/'bot on the Internet trying to connect to your server (the reason you are using a Self Denial Of Service tool like denyhosts). I only allow connections to my home systems from a /22 and two /24s "outside" or a total of 1530 addresses, because I really don't expect authorized users to be connecting from Kazakhstan, Kenya, Kiribati, Korea, or Kuwait or a lot of other places either. Lest someone from those countries object, I also don't allow access from nearly all ISPs in North America. When I travel, I use a form of port-knocking to provide an _extra_ hoop to jump through before being able to connect to the server (in addition to the normal authentication mechanism). Another solution is to move the server from the 'well known port' to some unexpected one (example, move ssh from 22/tcp to 123/tcp). A minor problem with this (and port knocking) is that businesses often block _outbound_ access to non-standard ports. Old guy
From: Keith Keller on 28 Mar 2010 23:31 On 2010-03-28, Moe Trin <ibuprofin(a)painkiller.example.tld.invalid> wrote: > On Sun, 28 Mar 2010, in the Usenet newsgroup comp.os.linux.networking, in > article <honmm5$t9$1(a)news.ett.com.ua>, Big Bill wrote: > >>How can I set denyhosts to accept all actions from identified machines ? > > Denyhosts doesn't seem to have a 'whitelist' (ignore) capability. Yes it does. http://denyhosts.sourceforge.net/faq.html#3_7 > Use a ``valid'' username when you're connecting. If you use a valid username but bad password too many times, DenyHosts will block you, unless you're in the allowed-hosts file. The OP may still need to manually modify hosts.deny and restart denyhosts in order to have any added entries to allowed-hosts to take effect. --keith -- kkeller-usenet(a)wombat.san-francisco.ca.us (try just my userid to email me) AOLSFAQ=http://www.therockgarden.ca/aolsfaq.txt see X- headers for PGP signature information
From: Big Bill on 29 Mar 2010 09:29 Keith Keller a �crit : > On 2010-03-28, Moe Trin <ibuprofin(a)painkiller.example.tld.invalid> wrote: >> On Sun, 28 Mar 2010, in the Usenet newsgroup comp.os.linux.networking, in >> article <honmm5$t9$1(a)news.ett.com.ua>, Big Bill wrote: >> >>> How can I set denyhosts to accept all actions from identified machines ? >> Denyhosts doesn't seem to have a 'whitelist' (ignore) capability. > > Yes it does. > > http://denyhosts.sourceforge.net/faq.html#3_7 > >> Use a ``valid'' username when you're connecting. > > If you use a valid username but bad password too many times, DenyHosts > will block you, unless you're in the allowed-hosts file. The ID used with Filezilla is a registered user of the system and not the admin'. Before firestarter, I could access the server by it's name (pingouin), now it's only available by it's ip. No big deal. Filezilla could transfer without a problem. Since Denyhosts, no transfers. I can access the server with putty, winscp, scp, all using admin id but not filezilla who uses another id. Logins have been modified in filezilla to reflect the rules of firestarter but still no success. At the very first try, denyhosts blacklists the address. > The OP may still need to manually modify hosts.deny and restart > denyhosts in order to have any added entries to allowed-hosts to take > effect. > Is there more controlable utility that I could use instead ? Something light preferably as it's not a commercial server and I'm not a pro OP.
From: Big Bill on 29 Mar 2010 11:21 Big Bill a �crit : I've finally found what was wrong. A mispelled user in vsftpd conf files. Now filezilla works and denyhosts doesn't complain anymore. Thanks you all for your answers
|
Next
|
Last
Pages: 1 2 Prev: ethtool and offload support (gro/gso) Next: What happens after a packet is captured? |