Dear All, this one drives me nuts. I had denyhosts installed on my server (installed Perfect Ubuntu server 7.10 upgraded to 8.04, runnning ISPConfig) and is working well - to well in fact. My own IP address keeps being blocked, although I have entered it with ALL: a.b.c.d in hosts.allow and also into /var/lib/denyhosts/allowed-hosts This is very annoying, as even just logging into my website may trigger this. Certain pages with mysql queries will set this off, ftping into the site with SmartFTP etc. Nothing like this happened beofre I installed denyhosts. But now it gets weared. Even when I stop denyhosts with /etc/init.d/denyhosts stop my IP address will still be appended (yes, I checked there was no denyhosts process rung with ps aux | grep deny). I can even remove the package with apt-get remove denyhosts. The system will still keep appending my IP address. Am I seeing ghosts? Is there something else that could update deny.hosts? (I do run monit, munin, snort, prelude and OSSEC on the server). I just cannot get rid of this #@!@!#@! Can anyone help? Cheers
Output as requested As requested: Code: root@blackbird:~# ls -la /var/lib/denyhosts total 12 drwxr-xr-x 2 root root 4096 May 26 09:36 . drwxr-xr-x 35 root root 4096 May 25 22:56 .. -rw-r--r-- 1 root root 110 May 26 09:36 allowed-hosts That's what is in it, my home's IP address (as received from my ICPs DHCP server), my public servers and the loopback - (have replaced numbers with letters to hide my addresses) : Code: root@blackbird:~# cat /var/lib/denyhosts/allowed-hosts # allowed hosts not to be blocked x.y.z.10 a.b.c.11 a.b.c.30 a.b.c.36 a.b.c.43 127.0.0.1 But why does it matter? Again, denyhosts is not running, but the x.y.z.10 address keeps being added with ALL: x.y.z.10 to /etc/hosts.deny, when I perform normal seemingly operations. For example, when I runn Smartftp on my PC and and try to transfer some data into a directory, whith no public write accesss, the server will give and access denied to me (what you would expect). Immediately my ip address is added to hosts.deny and the connection will be lost (wouldn't expect that without denyhosts running). See, no denyhosts: Code: root@blackbird:~# ps aux |grep deny root 5981 0.0 0.2 1796 536 pts/0 R+ 05:54 0:00 grep deny
Can you post the full output of Code: ps aux ? Also, what's the output of Code: crontab -l ? Maybe DenyHosts is called by a cron job...
Output as requested ps aux Code: root 1 0.0 0.2 1920 532 ? Ss May26 0:00 /sbin/init root 2 0.0 0.0 0 0 ? S May26 0:00 [migration/0] root 3 0.0 0.0 0 0 ? SN May26 0:00 [ksoftirqd/0] root 4 0.0 0.0 0 0 ? S< May26 0:00 [events/0] root 5 0.0 0.0 0 0 ? S< May26 0:00 [khelper] root 6 0.0 0.0 0 0 ? S< May26 0:00 [kthread] root 7 0.0 0.0 0 0 ? S< May26 0:00 [xenwatch] root 8 0.0 0.0 0 0 ? S< May26 0:00 [xenbus] root 14 0.0 0.0 0 0 ? S< May26 0:00 [kblockd/0] root 16 0.0 0.0 0 0 ? S< May26 0:00 [kseriod] root 59 0.0 0.0 0 0 ? S< May26 0:00 [kswapd0] root 60 0.0 0.0 0 0 ? S< May26 0:00 [aio/0] root 61 0.0 0.0 0 0 ? S< May26 0:00 [xfslogd/0] root 62 0.0 0.0 0 0 ? S< May26 0:00 [xfsdatad/0] root 202 0.0 0.0 0 0 ? S< May26 0:00 [kjournald] root 347 0.0 0.1 2236 348 ? S<s May26 0:00 /sbin/udevd --daemon syslog 1119 0.0 0.2 1952 616 ? Ss May26 0:00 /sbin/syslogd -a /var/lib/named/dev/log -u syslog root 1140 0.0 0.1 1888 420 ? S May26 0:00 /bin/dd bs 1 if /proc/kmsg of /var/run/klogd/kmsg klog 1142 0.0 0.1 2152 384 ? Ss May26 0:00 /sbin/klogd -P /var/run/klogd/kmsg ntp 1173 0.0 0.3 4136 912 ? Ss May26 0:00 /usr/sbin/ntpd -p /var/run/ntpd.pid -u 110:112 -g root 1222 0.0 1.3 6888 3440 ? Ss May26 0:01 /usr/sbin/openvpn --writepid /var/run/openvpn.server.pid --daemon ovpn-server --cd /etc/open root 1241 0.0 0.2 5328 632 ? Ss May26 0:00 /usr/sbin/sshd root 1302 0.0 0.4 2784 1068 ? S May26 0:00 /bin/sh /usr/bin/mysqld_safe mysql 1344 0.0 4.0 130572 10496 ? Sl May26 0:06 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql --pid-file=/var/run/my root 1346 0.0 0.1 1712 472 ? S May26 0:00 logger -p daemon.err -t mysqld_safe -i -t mysqld root 1413 0.0 0.1 1920 356 ? S May26 0:00 /usr/sbin/courierlogger -pid=/var/run/courier/authdaemon/pid -start /usr/lib/courier/courier root 1414 0.0 0.1 2084 456 ? S May26 0:00 /usr/lib/courier/courier-authlib/authdaemond root 1439 0.0 0.1 1920 284 ? S May26 0:00 /usr/sbin/courierlogger -pid=/var/run/courier/imapd.pid -start -name=imapd /usr/sbin/courier root 1440 0.0 0.1 2024 464 ? S May26 0:00 /usr/sbin/couriertcpd -address=0 -maxprocs=40 -maxperip=20 -nodnslookup -noidentlookup 143 / root 1461 0.0 0.1 1920 284 ? S May26 0:00 /usr/sbin/courierlogger -pid=/var/run/courier/imapd-ssl.pid -start -name=imapd-ssl /usr/sbin root 1462 0.0 0.1 2020 464 ? S May26 0:00 /usr/sbin/couriertcpd -address=0 -maxprocs=40 -maxperip=20 -nodnslookup -noidentlookup 993 / root 1466 0.0 0.2 2300 588 ? S May26 0:00 /usr/lib/courier/courier-authlib/authdaemond root 1467 0.0 0.2 2300 588 ? S May26 0:00 /usr/lib/courier/courier-authlib/authdaemond root 1468 0.0 0.2 2300 588 ? S May26 0:00 /usr/lib/courier/courier-authlib/authdaemond root 1469 0.0 0.2 2300 588 ? S May26 0:00 /usr/lib/courier/courier-authlib/authdaemond root 1470 0.0 0.2 2300 556 ? S May26 0:00 /usr/lib/courier/courier-authlib/authdaemond root 1482 0.0 0.1 1920 428 ? S May26 0:00 /usr/sbin/courierlogger -pid=/var/run/courier/pop3d.pid -start -name=pop3d /usr/sbin/courier root 1483 0.0 0.2 2024 540 ? S May26 0:00 /usr/sbin/couriertcpd -maxprocs=40 -maxperip=4 -nodnslookup -noidentlookup -address=0 110 /u root 1504 0.0 0.1 1920 284 ? S May26 0:00 /usr/sbin/courierlogger -pid=/var/run/courier/pop3d-ssl.pid -start -name=pop3d-ssl /usr/sbin root 1505 0.0 0.1 2024 464 ? S May26 0:00 /usr/sbin/couriertcpd -address=0 -maxprocs=40 -maxperip=4 -nodnslookup -noidentlookup 995 /u ossecm 1539 0.0 0.5 3068 1416 ? S May26 0:00 /var/ossec/bin/ossec-maild root 1543 0.0 0.1 1992 388 ? S May26 0:00 /var/ossec/bin/ossec-execd ossec 1547 0.0 0.8 13124 2184 ? Sl May26 0:02 /var/ossec/bin/ossec-analysisd root 1552 0.0 0.1 1864 432 ? S May26 0:00 /var/ossec/bin/ossec-logcollector root 1556 0.0 0.3 2064 892 ? S May26 0:23 /var/ossec/bin/ossec-syscheckd ossec 1560 0.0 0.2 2048 612 ? S May26 0:00 /var/ossec/bin/ossec-monitord root 1693 0.0 0.1 7880 368 ? Ss May26 0:00 /usr/sbin/saslauthd -a pam -c -m /var/spool/postfix/var/run/saslauthd -r -n 5 root 1694 0.0 0.2 9036 776 ? S May26 0:00 /usr/sbin/saslauthd -a pam -c -m /var/spool/postfix/var/run/saslauthd -r -n 5 root 1695 0.0 0.0 7880 32 ? S May26 0:00 /usr/sbin/saslauthd -a pam -c -m /var/spool/postfix/var/run/saslauthd -r -n 5 root 1699 0.0 0.0 7880 164 ? S May26 0:00 /usr/sbin/saslauthd -a pam -c -m /var/spool/postfix/var/run/saslauthd -r -n 5 root 1700 0.0 0.0 7880 108 ? S May26 0:00 /usr/sbin/saslauthd -a pam -c -m /var/spool/postfix/var/run/saslauthd -r -n 5 root 1847 0.0 0.2 2116 748 ? Ss May26 0:00 /usr/sbin/cron root 1927 0.0 1.0 6920 2772 ? Ss May26 0:00 /usr/sbin/munin-node root 2105 0.0 0.3 14488 928 ? Ss May26 0:00 /root/ispconfig/httpd/bin/ispconfig_httpd -DSSL root 2106 0.0 0.4 2812 1188 ? S May26 0:00 /bin/bash /root/ispconfig/sv/ispconfig_wconf 2003 2115 0.0 0.2 15176 616 ? S May26 0:00 /root/ispconfig/httpd/bin/ispconfig_httpd -DSSL bind 2454 0.0 0.9 37560 2388 ? Ssl May26 0:00 /usr/sbin/named -u bind -t /var/lib/named 2003 2494 0.0 0.3 2924 1028 ? Ss May26 0:00 /home/admispconfig/ispconfig/tools/clamav/bin/freshclam -d -c 10 --datadir=/home/admispconfi root 2500 0.0 0.5 28996 1440 ? Sl May26 0:01 /usr/sbin/monit -d 60 -c /etc/monit/monitrc -s /var/lib/monit/monit.state root 2529 0.0 0.1 1728 432 tty1 Ss+ May26 0:00 /sbin/getty 38400 tty1 2003 5231 0.0 0.2 14956 624 ? S May26 0:00 /root/ispconfig/httpd/bin/ispconfig_httpd -DSSL root 8644 0.0 1.3 43740 3484 ? Ss May26 0:00 /usr/sbin/apache2 -k start root 8645 0.0 0.1 1772 472 ? S May26 0:00 /root/ispconfig/cronolog --symlink=/var/log/httpd/ispconfig_access_log /var/log/httpd/ispcon root 12779 0.0 0.0 0 0 ? S May26 0:00 [pdflush] root 21936 0.0 0.0 0 0 ? S May26 0:00 [pdflush] root 19752 0.0 0.1 49284 388 ? Ssl May26 0:00 /usr/sbin/freeradius www-data 31679 0.0 5.2 49480 13692 ? S May27 0:07 /usr/sbin/apache2 -k start snort 11205 0.0 23.1 185124 60716 ? Ssl May27 0:07 /usr/sbin/snort -m 027 -D -d -l /var/log/snort -u snort -g snort -c /etc/snort/snort.conf -S www-data 16886 0.0 6.0 49728 15968 ? S May27 0:07 /usr/sbin/apache2 -k start www-data 22669 0.0 4.3 45520 11308 ? S May27 0:05 /usr/sbin/apache2 -k start www-data 22671 0.0 5.6 48868 14928 ? S May27 0:05 /usr/sbin/apache2 -k start www-data 19323 0.0 6.0 49696 15900 ? S May27 0:02 /usr/sbin/apache2 -k start www-data 19324 0.0 5.6 49092 14856 ? S May27 0:02 /usr/sbin/apache2 -k start www-data 20521 0.0 5.7 48860 15164 ? S May27 0:03 /usr/sbin/apache2 -k start www-data 9852 0.0 4.0 44812 10716 ? S May27 0:01 /usr/sbin/apache2 -k start proftpd 9980 0.0 0.6 9836 1612 ? Ss May27 0:00 proftpd: (accepting connections) root 10051 0.0 0.6 5408 1760 ? Ss May27 0:00 /usr/lib/postfix/master postfix 10063 0.0 0.6 5460 1804 ? S May27 0:00 qmgr -l -t fifo -u postfix 10115 0.0 0.9 5784 2464 ? S May27 0:00 tlsmgr -l -t unix -u -c www-data 18903 0.0 4.2 45500 11176 ? S 01:06 0:01 /usr/sbin/apache2 -k start postfix 12245 0.0 0.6 5420 1712 ? S 04:44 0:00 pickup -l -t fifo -u -c www-data 14595 0.0 3.7 44576 9788 ? S 05:00 0:00 /usr/sbin/apache2 -k start postfix 17060 0.0 1.2 6448 3252 ? S 05:21 0:00 smtpd -n smtp -t inet -u -c -o stress -s 2 root 19551 0.0 1.4 11364 3716 ? Ss 05:43 0:00 sshd: root@pts/0 root 19555 0.0 0.6 2920 1628 pts/0 Ss 05:43 0:00 -bash proftpd 19567 0.0 0.8 9836 2200 ? S 05:43 0:00 proftpd: (accepting connections) root 19571 0.0 0.2 1864 532 ? S 05:44 0:00 sleep 10 root 19572 0.0 0.3 2380 920 pts/0 R+ 05:44 0:00 ps aux crontab-l Code: 30 00 * * * /root/ispconfig/php/php /root/ispconfig/scripts/shell/logs.php &> /dev/null 59 23 * * * /root/ispconfig/php/php /root/ispconfig/scripts/shell/ftp_logs.php &> /dev/null 59 23 * * * /root/ispconfig/php/php /root/ispconfig/scripts/shell/mail_logs.php &> /dev/null 59 23 * * * /root/ispconfig/php/php /root/ispconfig/scripts/shell/cleanup.php &> /dev/null 0 4 * * * /root/ispconfig/php/php /root/ispconfig/scripts/shell/webalizer.php &> /dev/null 0,30 * * * * /root/ispconfig/php/php /root/ispconfig/scripts/shell/check_services.php &> /dev/null 15 3,15 * * * /root/ispconfig/php/php /root/ispconfig/scripts/shell/quota_msg.php &> /dev/null 40 00 * * * /root/ispconfig/php/php /root/ispconfig/scripts/shell/traffic.php &> /dev/null 05 02 * * * /root/ispconfig/php/php /root/ispconfig/scripts/shell/backup.php &> /dev/null 0 4 * * * /root/ispconfig/php/php /root/ispconfig/scripts/shell/awstats.php &> /dev/null BTW, the behavior persists agter rebooting. Could something else be updating hosts.deny, OSSEC, prelude, snort, prewikka perhaps?
OSSEC was it The active-repsonse module of OSSEC was switched on, which amongst other things adds host IP addresses to hosts.deny. The problem vas solved by adding the relevant host IPs to /var/ossec/etc/ossec.conf as memebrs of the 'white list'. Problem solved
