I applied a few Virtmin/Webmin updates offered by the main page when I logged in over the last few days.
Today, for the first time in several days, I tried to connect with SSH. Found my IP Address was blocked in /etc/hosts.deny and have no idea why it was there, or how it got there. It was working perfectly last time I tried. After much thrashing around, I found I could override this by adding the IP to the hosts.allow file through Webmin -> System(?) -> TCP Wrappers. (It was in TCP Wrappers that I discovered my IP in the hosts.deny file.)
And if I manually edit hosts.deny, OR remove the block in denied hosts through Webmin, it reappears very quickly.
I understand it’s tcpd(?) that actually “decides” to add entries to that file. But why?
All I’ve done the last week was add the updates as mentioned above. And SSH worked perfectly before. I was never blocked that way.
The only bright idea I have is: look elsewhere. Virtualmin and Webmin do not automatically add anything to hosts.allow or hosts.deny (as you’ve noted, there is a new module in Webmin for tcpwrappers, but it’s not doing anything automatically). My guess is you have setup fail2ban or something similar. It wasn’t Virtualmin/Webmin, I promise. And it has no relation to the updates you performed.
Yeah, Joe’s thought of fail2ban is good – I personally use denyhosts on my machine. That could do exactly what you’re talking about. If that were the case, you’d see it running if you were to run:
ps auxw | grep denyhosts
There’s nothing wrong with that, per-se, but you might need to tweak it’s settings to be a bit more lenient.
-Eric
I honestly didn’t think it had anything to do with Virtualmin/Webmin. I’m just looking for ideas as to why this started to happen only yesterday. Prior to this, I could login with Putty just fine, and have been able to do so since I setup the webserver and Virtmin/Webmin.
I haven’t installed ANY applications in the last month or two, that’s what has me stumped.
What denyhosts does is monitor your system error logs, and watches for SSH attacks – people or bots guessing passwords and trying to break into your system.
The problem here, is that the difference between someone typing in the wrong password several times, and someone/something trying to break into your machine, is subtle
I suspect you simply typed in the wrong password a few times within a given window, and denyhosts assumed it was an attack, and blocked your host.
Your options are:
Modify the denyhosts config file, and tweak the exact parameters that it’s using to block hosts. You’d probably want to require more failed attempts, and use a smaller window.
You can always just disable denyhosts if that’s not functionality you want. You can run: “/etc/init.d/denyhosts stop” – then clear out the entries from /etc/hosts.deny.
What puzzles me is that my IP number for my Cable account, while technically a Dynamic IP, hasn’t changed in months. And it’s blocking only that one IP. I never mistype my password more than once. If I get a failure, I type it again very slowly to make sure I get it right. So I get, at most, one failre every couple of days.
I’ll take a look at the denyhosts config file and see what I can do with it, thank you.
I have the exact same problem - all of a sudden my Comcast cablemodem laptop’s IP address has been added to hosts.deny. I can edit it out manually but first I need to stop denyhosts! I’m on a Mac 10.4.11 system; how do I stop the thing? Did you ever find out why your IP was added?
Those would be 3 separate commands you’d pass in. I’m not sure that you actually need the last one, that’s just in case TCP Wrappers requires that hosts.deny exists.
-Eric
