Hey, ive been using blockhosts for quite a while on my servers.. Recently on one host I have been seeing strange delays between the time I ssh to the server and when the "login" prompt acctually shows up.. I believe it has to do with DNS, but the forward and reverse dns entries for the ssh client host resolve just fine. Other hosts can ssh to my server without the login prompt delay. But some take about 30 seconds to get the prompt.
If I comment out my blockhosts line in my /etc/hosts.allow, the login prompt jumps up just fine almost immediately after I ssh to it. any ideas?
from /etc/hosts.allow
#---- BlockHosts Additions
sshd: ALL: spawn (/usr/bin/blockhosts.py --verbose --echo "%c-%s" >> /var/log/blockhosts.log 2>&1 )& : allow
ssh on the server is
SSH-2.0-OpenSSH_4.5
-DB
debugging...
Hard to imagine how even a slow blockhosts.py execution would affect sshd - the line for spawn is a background job (& at end), so sshd server does not wait for it complete before granting a prompt.
Things to check:
1) Look at the syslog() output - /var/log/messages or equivalent. Blockhosts with --verbose writes to it, and it is timestamped - maybe that will provide some clue if the job is starting late, or itself taking too long:
For example, on a system which does show any problem, the start and end timestamps are nearly identical:
Mar 1 12:25:42 hostname blockhosts: echo tag: 10.115.184.130-sshd@10.0.0.1
Mar 1 12:25:42 hostname blockhosts: final counts: blocking 1, watching 2
2) Try substituting some other command in the spawn line, something known to be very simple, for example, echo:
If that also slows down, then it is not blockhosts.py but something else.
ok, so its the %c
its the %c thats slowing it down.. getting the
%c Client information: user@host, user@address, a host name, or just an address, depend-
if I remove that from the
sshd: ALL: spawn (/bin/echo .... line
things work fast..
excellent!
Great info, now need to figure out how to document this so the next person can find this information!
On a Fedora box, all I see is this for %c - a numeric IP address - this is with --echo "%c-%s"
Mar 5 19:01:26 myhost blockhosts: echo tag: 10.0.0.121-sshd@10.0.0.15
The above expansion does not (and should not) take too long.
What do you see in your log files with the %c-%s expansion? Since only some hosts are having this problem, can't think of anything other than DNS lookup issues as still the main thing to look into....
SOLVED!
added this to my firewall
$FWCMD -A OUTPUT -o $OUT_IFACE -p tcp --dport 113 -j REJECT --reject-with tcp-reset
to block outgoing ident crap!