blockhosts (and sshd) headache...

The blockhosts-solution seemed like a really good idea, but that was before I tried to install and use it... ;-)

After quite a lot of experimentation, and some net-browsing and man-reading, the following issues remain:

1. For some reason, all ip's listed in my hosts.deny are denied, irrespective of the '; deny' or ': allow' keyword. This actually makes sense, when I realized that...

2. ...'allow' and 'deny' (actually, the third keyword on a line) are commands that are run. However, on my system such commands do not exist btw.

3. Any ip in hosts.allow is allowed, and also overrides the same ip in hosts.deny, probably because...

4. ...as soon as a match is done in hosts.allow or hosts.deny, nothing more is processed, and if the match was done i hosts.deny, service is denied. Because of this, ...

5. ...blockhost.py cannot be spawned. For if the ip is matched in hosts.deny, the spawn-command further down will be ignored. And if the ip is not matched, the blockhost.py-spawning counts as a match in hosts.deny causing the service to be denied, even if the actual ip was not blacklisted. Catch 22.

Argh... Please, somebody tell me I have misunderstood something and put me back on track!

corrections

1 and 2 are not correct - :allow and :deny are not commands, but keywords for TCP WRAPPER functionality.

3 is not correct - first matched line for a IP stops all further processing of hosts.* files, and the order is always hosts.access first, hosts.deny afterwords.
On my Unix box, man 5 hosts_access shows all this information.
The file names themselves do not matter if :allow or :deny is specified at end of the rule.

4 is not correct. Even a hosts.deny file could allow access if line has :allow at the end.

5 is certainly not correct, otherwise no one would be able to use this!
Here are some links to other documentation: Ubuntu forum topic and Linux.com article in addition to the INSTALL file from the BlockHosts package availale on the Details page.

thanks for the quick response, but...

...I'm afraid I'm (was) correct to some degree. I made a script /bin/deny (and similar /bin/allow) simply echoing 'hi, I'm deny'. And yes, that output was written.

But there are more to the story, I just realized that tcp_wrappers has to be compiled with 'STYLE = -DPROCESS_OPTIONS' defined, to make deny, allow, etc. work as they appear to do for the rest of the world... And this was not defined by default. Sigh.

Recompiling and testing as I type...

but thanks again for the reply, often it helps just having to formulate the problem for an audience... :-)

J.O.

yup, that is right...

The :allow and :deny are keywords, not commands, but you are right - this is an extension that can only be used if the library supports it. The man page man hosts_options explains that part of the picture.

This info should be added to the BlockHosts requirements in a future release.

Without this, the format of the hosts.access and hosts.deny file supports only three fields - and the third field is the command:

                 daemon_list : client_list [ : shell_command ]

But - that shell command, or its return code does not allow or deny the host, that is dependent on the name of the file containing the rule, hosts.acess, or hosts.deny.

So, it is correct that blockhosts requires the extensions described in the hosts_options man page.

Still - even without using this extension, you can use blockhosts - the versions after 2.0 support blocking at the TCP/IP network level, for example, using ip route to install null-routes in the routing table. So, in your case, you can add the blockhosts.py command to hosts.allow for ALL sshd accesses, and when it needs to block an host, it will block using null-routes, so hosts.deny is not needed, something like:

sshd : ALL  : spawn /usr/bin/blockhosts.py  --iproute  >> /var/log/blockhosts.log 2>&1 &

Yes, I was at the brink of going down that road,

when I found out about the "options" part of tcp_wrapper,but now I will stick to the "option-way". And I think mentioning of this in the blockhosts doc would be quite useful, yes. Could potentially have saved me some hours.

J.O.

You can configure BlockHosts to use hosts.deny

There are settings in blockhosts.cfg for what file to use as well as what to add to the file.
Just set it to use hosts.deny and change the " : deny" bit of the format-of-line-to-add setting to ""