ssh_exchange_identification: Connection closed by remote host PART II
Jaye Inabnit ke6sls
Greetings again:
I have sshd working again after adding an entry in my firewall/router's
/etc/hosts.allow file, but I am rather concerned that sshd included
tcp_wrappers without alerting users that are upgrading software via apt or
dselect! Unless I missed something, I always read all the notifications
during each Woody upgrade.
My question now is this: do I need to make these hosts_allow entries into
each of my linux computers? I still find it very odd that all the other
computers were able to connect to my firewall/router as it was, and only my
Woody box was banned from connecting.
The only other thing that might add to the syndrome is that I have a user
logged (ssh) into my box via the router for several weeks compiling kde3.
shrug
ke6...@arrl.net
----original msg----
Greetings:
I am unable to connect to my cable firewall/router from my desktop box
suddenly. I have gone so far as to wipe out my known_hosts file from my .ssh
directory, but this still gives me the same error. What is unusual is that I
can ssh to any of the other computers on my lan, *then* ssh to my router
without difficulty. What did I do wrong? Any help gleefully excepted. I am
running woody on both boxes, and updated them an hour ago. I also ran
dpkg-reconfigure for ssh on the router just in case I had an update and
entered a wrong value.
PS plz mail me direct as I am not on this list.
thank you
--
Jaye Inabnit\ARS ke6sls\/A GNU-Debian linux user\/ http://www.qsl.net/ke6sls
If it's stupid, but works, it ain't stupid. I SHOUT JUST FOR FUN.
Free software, in a free world, for a free spirit. Please Support freedom!
--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Sven Hoexter
>
> Greetings again:
>
> I have sshd working again after adding an entry in my firewall/router's
> /etc/hosts.allow file, but I am rather concerned that sshd included
> tcp_wrappers without alerting users that are upgrading software via apt or
> dselect! Unless I missed something, I always read all the notifications
> during each Woody upgrade.
>
> My question now is this: do I need to make these hosts_allow entries into
> each of my linux computers? I still find it very odd that all the other
> computers were able to connect to my firewall/router as it was, and only my
> Woody box was banned from connecting.
/etc/hosts.deny is ALL:PARANOID set. This entry blocks all hosts that
have an invalid or no PTR record.
Sven
--
Lamer! :)\nLokaler Admin mit enormen Rechten[tm]
[Christian Schneider und Jens Himmelrath in alt.hacker.org-gcf]
http://www.linux-secure.de http://www.linuxboard.de
http://www.bluephod.net http://www.disconow.de
Gary Turner
>On Sat, Mar 23, 2002 at 01:09:37PM -0800, Jaye Inabnit ke6sls wrote:
>> My question now is this: do I need to make these hosts_allow entries into
>> each of my linux computers? I still find it very odd that all the other
>> computers were able to connect to my firewall/router as it was, and only my
>> Woody box was banned from connecting.
>IIRC it helps fixing your DNS problem. The real problem is that in
>/etc/hosts.deny is ALL:PARANOID set. This entry blocks all hosts that
>have an invalid or no PTR record.
My understanding has been that /etc/hosts.deny ALL:PARANOID is a good
thing (tm), in that visitors not invited in, are kicked out. Which is
your objection in this case. /etc/hosts.allow is tested first and if a
match is found, then host.deny is never tested. Thus, you can "allow"
your whole LAN by:
ALL : 192.168.0. # <--note the trailing "."
or a piece of it:
ALL : 192.168.0. EXCEPT 192.168.0.46 # or
ALL : .foo.bar EXCEPT honker.foo.bar # note leading "."
Won't these general allows eliminate the need to edit each host for each
addition/subtraction on your net? If ALL : PARANOID is not used in
hosts.deny, then any host not specifically denied, is allowed. That
seems to me to be a bad thing (tm). In the above example, everybody in
the world except honker is let in.
If this is not germane to the thread, I apologize. If it is wrong, I
seek instruction.
--
gt
It is interesting to note that as one evil empire (generic) fell,
another Evil Empire (tm) began its nefarious rise. -- me
Gary Turner
>* Gary Turner (kk...@swbell.net) spake thusly:
>> On Sun, 24 Mar 2002 08:46:00 +0100, Sven Hoexter wrote:
>>
>> >On Sat, Mar 23, 2002 at 01:09:37PM -0800, Jaye Inabnit ke6sls wrote:
>>
<big snip>
>
>Didn't you read Sven's rely? It says "DNS problem" right there.
>
Yes, I did. Didn't you read mine?
"If this is not germane to the thread, I apologize. If it is wrong, I
seek instruction."
--
gt
Everything here could be wrong--Messiah's Handbook--Bach
Dimitri Maziuk
> On Sun, 24 Mar 2002 13:12:56 -0600, Dimitri Maziuk wrote:
>
> >* Gary Turner (kk...@swbell.net) spake thusly:
> >> On Sun, 24 Mar 2002 08:46:00 +0100, Sven Hoexter wrote:
> >>
> >> >On Sat, Mar 23, 2002 at 01:09:37PM -0800, Jaye Inabnit ke6sls wrote:
> >>
> <big snip>
> >
> >Didn't you read Sven's rely? It says "DNS problem" right there.
> >
> Yes, I did. Didn't you read mine?
> "If this is not germane to the thread, I apologize. If it is wrong, I
> seek instruction."
Well, it's relevant as most tcp apps rely on DNS for hostname
resolution. It's not particular to ssh or tcp wrappers, though.
DNS configuration, OTOH, is too big a topic for a quick instruction
in an email reply. There are books and howtos on the subject.
Just to give you a concrete example: assume 192.168.1.0 subnet.
Missing a trailing dot in RDNS zone, like this:
1 IN PTR host.foo.bar
dot missing here ---^
will result in reverse lookup for 192.168.1.1 returning something
like "host.foo.bar.in-addr.arpa". That will not match "*.foo.bar"
entry in hosts.allow, nor the entry in ssh's known hosts file.
So if DNS is b0rked, questions about tcp wrappers don't apply,
if you see what I mean.
The really interesting question is whether relying on something
as notoriously unreliable as DNS for access control is a sane
idea.
Dima
--
Tlaloc: What was Elrond's second name?
Gruber: Hubbard -- <ahbou=3C69EB63...@last.com>
Gary Turner
>* Gary Turner (kk...@swbell.net) spake thusly:
>> On Sun, 24 Mar 2002 13:12:56 -0600, Dimitri Maziuk wrote:
>> >Didn't you read Sven's rely? It says "DNS problem" right there.
>Make that "reply".
Hmph; I see so many typos on the lists, I don't even see my own any
more. <|:-(
>> >
>> Yes, I did. Didn't you read mine?
>> "If this is not germane to the thread, I apologize. If it is wrong, I
>> seek instruction."
>
>Well, it's relevant as most tcp apps rely on DNS for hostname
>resolution. It's not particular to ssh or tcp wrappers, though.
>
>DNS configuration, OTOH, is too big a topic for a quick instruction
>in an email reply. There are books and howtos on the subject.
OK, thanks. I put the neo in phyte and am building my system task at a
time. DNS and SSH are dishes I'm not ready to wash just yet. :)
>
>Just to give you a concrete example: assume 192.168.1.0 subnet.
>Missing a trailing dot in RDNS zone, like this:
>1 IN PTR host.foo.bar
> dot missing here ---^
>will result in reverse lookup for 192.168.1.1 returning something
>like "host.foo.bar.in-addr.arpa". That will not match "*.foo.bar"
>entry in hosts.allow, nor the entry in ssh's known hosts file.
Curiosity just bit me in the butt. Where does the .in-addr.arpa come
from? For example, if this were my LAN, bessie.blues matches
192.168.0.1. How/why would higher level domains be added? If the
reverse look-up went to the WAN, isn't the ~declared~ domain name
compared to the name registered to the IP?
If curiosity took too big a bite to cover with a Bandaid, no prob. I'll
get to the books soon enough.
>
>So if DNS is b0rked, questions about tcp wrappers don't apply,
>if you see what I mean.
Actually not, yet. ;~}
>
>The really interesting question is whether relying on something
>as notoriously unreliable as DNS for access control is a sane
>idea.
Vagrant thought: Either hosts.access is not the appropriate tool in
this case, or the reverse look-up does not use it properly (from hosts.*
point of view). Either way, I dislike the idea of defaulting to allow
rather than deny.
See above in re Bandaid. :)
--
gt
It is interesting to note that as one evil empire (generic) fell,
another Evil Empire (tm) began its nefarious rise. -- me
Nathan E Norman
--EkxpYdHiqGHPYbUt
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Mon, Mar 25, 2002 at 09:57:13AM -0600, Dimitri Maziuk wrote:
> > Curiosity just bit me in the butt. Where does the .in-addr.arpa come
> > from? =20
>=20
> From the way bind works. See e.g. O'Reilly's "DNS and Bind".
Well, er, it's not there because of the way BIND works. Rather, BIND
works that way because it is conforming to the standards. See STD13,
section 5.2.1 and RFC1035, section 3.5 for some discussion of the
IN-ADDR.ARPA domain.
=20
Sorry to be pedantic :)
--=20
Nathan Norman - Micromuse Ltd. mailto:nno...@micromuse.com
Gil-galad was an Elven-king. | The Fellowship
Of him the harpers sadly sing: | of
the last whose realm was fair and free | the Ring
between the Mountains and the Sea. | J.R.R. Tolkien
--EkxpYdHiqGHPYbUt
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE8n2y7F/RmbRyJNdgRAdKeAJ4yarA0ZHwf0Y0Ov+f580pgxS7LbACeOCtY
npOT2+lUNEgUYwddxiiB5LA=
=4ELg
-----END PGP SIGNATURE-----
--EkxpYdHiqGHPYbUt--
Dimitri Maziuk
> On Mon, Mar 25, 2002 at 09:57:13AM -0600, Dimitri Maziuk wrote:
> > > Curiosity just bit me in the butt. Where does the .in-addr.arpa come
> > > from?
> >
>
> Well, er, it's not there because of the way BIND works. Rather, BIND
> works that way because it is conforming to the standards. See STD13,
> section 5.2.1 and RFC1035, section 3.5 for some discussion of the
> IN-ADDR.ARPA domain.
>
It's OK. I should've said "because that's How Things Are[tm]". ;)
Dima
--
Yes, Java is so bulletproofed that to a C programmer it feels like being in a
straightjacket, but it's a really comfy and warm straightjacket, and the world
would be a safer place if everyone was straightjacketed most of the time.
-- Mark 'Kamikaze' Hughes