I'm running Fedora 9 with sendmail-8.14.2-1.fc8. I'm also running
denyhosts which puts SSH hacker's IPs in deny.hosts. I'm getting a log
entry I don't understand;
**Unmatched Entries**
warning: /etc/hosts.deny, line 2305: can't verify hostname:
getaddrinfo(196-201-135-143.iwayafrica.com, AF_INET) failed: 3 Time(s)
and I'm getting a lot of them. Line 2305 of hosts.deny is;
ALL: 83.72.199.48.ip.tele2adsl.dk
I don't understand what exactly the error message means and I'm not even
sure it is being generated directly by sendmail. Can anybody explain
this a little so maybe I can solve the fault.
Thanks,
--
Knute Johnson
email s/nospam/knute2008/
--
Posted via NewsDemon.com - Premium Uncensored Newsgroup Service
------->>>>>>http://www.NewsDemon.com<<<<<<------
Unlimited Access, Anonymous Accounts, Uncensored Broadband Access
|
|
0
|
|
|
|
Reply
|
 nospam8071 (917)
|
7/21/2008 12:53:31 AM |
|
Knute Johnson <nospam@rabbitbrush.frazmtn.com> wrote:
> I'm running Fedora 9 with sendmail-8.14.2-1.fc8. I'm also running
> denyhosts which puts SSH hacker's IPs in deny.hosts. I'm getting a
> log entry I don't understand;
>
> **Unmatched Entries**
> warning: /etc/hosts.deny, line 2305: can't verify hostname:
> getaddrinfo(196-201-135-143.iwayafrica.com, AF_INET) failed: 3 Time(s)
>
> and I'm getting a lot of them. Line 2305 of hosts.deny is;
>
> ALL: 83.72.199.48.ip.tele2adsl.dk
>
> I don't understand what exactly the error message means and I'm not
> even sure it is being generated directly by sendmail. Can anybody
> explain this a little so maybe I can solve the fault.
Have you considered using IP addresses instead of RDNS names?
I guess the link below may be also relevant:
http://bad.debian.net/list/2001-December/001733.html
--
[pl>en Andrew] Andrzej Adam Filip : anfi@priv.onet.pl : anfi@xl.wp.pl
"But this one goes to eleven."
-- Nigel Tufnel
|
|
|
0
|
|
|
|
Reply
|
 anfi2 (1412)
|
7/21/2008 7:41:16 AM
|
|
Andrzej Adam Filip wrote:
> Knute Johnson <nospam@rabbitbrush.frazmtn.com> wrote:
>
>> I'm running Fedora 9 with sendmail-8.14.2-1.fc8. I'm also running
>> denyhosts which puts SSH hacker's IPs in deny.hosts. I'm getting a
>> log entry I don't understand;
>>
>> **Unmatched Entries**
>> warning: /etc/hosts.deny, line 2305: can't verify hostname:
>> getaddrinfo(196-201-135-143.iwayafrica.com, AF_INET) failed: 3 Time(s)
>>
>> and I'm getting a lot of them. Line 2305 of hosts.deny is;
>>
>> ALL: 83.72.199.48.ip.tele2adsl.dk
>>
>> I don't understand what exactly the error message means and I'm not
>> even sure it is being generated directly by sendmail. Can anybody
>> explain this a little so maybe I can solve the fault.
>
> Have you considered using IP addresses instead of RDNS names?
Somebody else mentioned that they had a problem with names in
deny.hosts. I'm not sure how to get denyhosts to put IP addresses
instead of the name. I'll have to ask on the denyhosts list.
> I guess the link below may be also relevant:
> http://bad.debian.net/list/2001-December/001733.html
Thanks, I'll look at that.
--
Knute Johnson
email s/nospam/knute2008/
--
Posted via NewsDemon.com - Premium Uncensored Newsgroup Service
------->>>>>>http://www.NewsDemon.com<<<<<<------
Unlimited Access, Anonymous Accounts, Uncensored Broadband Access
|
|
|
0
|
|
|
|
Reply
|
nospam8071 (917)
|
7/21/2008 3:48:41 PM
|
|
On Sun, 20 Jul 2008, in the Usenet newsgroup comp.mail.sendmail, in article
<4883de0a$0$4033$b9f67a60@news.newsdemon.com>, Knute Johnson wrote:
>I'm running Fedora 9 with sendmail-8.14.2-1.fc8.
I'm curious why the mix. FC9 came out of the box two months ago with
sendmail-8.14.2-4.fc9, while that sendmail-8.14.2-1.fc8 is an errata
or update to FC8 that came out about 8 months ago.
>I'm also running denyhosts which puts SSH hacker's IPs in deny.hosts.
Are you a world traveler, or do you have users authorized to log into
your system from every IP address in the world? You'll find you will
waste less CPU cycles by configuring your firewall to only allow
connections to your SSH server from IP addresses you actually expect
may have a legitimate reason to connect. For me, that means allowing
just 1536 IP addresses (a /22 and two /24s) out of the 2676890800 IPv4
addresses in current use in the entire world. Or would you rather
continue until your /etc/hosts.deny has two and a half billion lines?
> **Unmatched Entries**
> warning: /etc/hosts.deny, line 2305: can't verify hostname:
>getaddrinfo(196-201-135-143.iwayafrica.com, AF_INET) failed: 3 Time(s)
[compton ~]$ host 196.201.135.143
143.135.201.196.IN-ADDR.ARPA domain name pointer 196-201-135-143.iwayafrica.com
[compton ~]$ host 196-201-135-143.iwayafrica.com
Host not found.
[compton ~]$
Hey - you're lucky they've figured out how to create a PTR record in
their DNS. Just because it doesn't point to a name with an A record...
>and I'm getting a lot of them. Line 2305 of hosts.deny is;
>
>ALL: 83.72.199.48.ip.tele2adsl.dk
You may want to read the documentation that comes with tcp_wrappers,
specifically the man page (man 5 hosts_access). Read specifically
the section "ACCESS CONTROL FILES". I find it useful to keep 'names'
out of these files - because you're assuming that everyone has properly
set up A and PTR records in their DNS that match (as you see here, this
isn't always the case). As regards the line number, I can't recall
if tcp_wrappers/libwrap starts counting from line zero or one.
Old guy
|
|
|
0
|
|
|
|
Reply
|
 ibuprofin2 (2555)
|
7/22/2008 12:39:03 AM
|
|
Moe Trin wrote:
> On Sun, 20 Jul 2008, in the Usenet newsgroup comp.mail.sendmail, in article
> <4883de0a$0$4033$b9f67a60@news.newsdemon.com>, Knute Johnson wrote:
>
>> I'm running Fedora 9 with sendmail-8.14.2-1.fc8.
>
> I'm curious why the mix. FC9 came out of the box two months ago with
> sendmail-8.14.2-4.fc9, while that sendmail-8.14.2-1.fc8 is an errata
> or update to FC8 that came out about 8 months ago.
My mistake, the server box is still running F8, so I think that is the
correct sendmail.
>> I'm also running denyhosts which puts SSH hacker's IPs in deny.hosts.
>
> Are you a world traveler, or do you have users authorized to log into
> your system from every IP address in the world? You'll find you will
> waste less CPU cycles by configuring your firewall to only allow
> connections to your SSH server from IP addresses you actually expect
> may have a legitimate reason to connect. For me, that means allowing
> just 1536 IP addresses (a /22 and two /24s) out of the 2676890800 IPv4
> addresses in current use in the entire world. Or would you rather
> continue until your /etc/hosts.deny has two and a half billion lines?
That's why I have the denyhosts running, because I need to ssh into the
box from IPs that I don't know before I leave.
>> **Unmatched Entries**
>> warning: /etc/hosts.deny, line 2305: can't verify hostname:
>> getaddrinfo(196-201-135-143.iwayafrica.com, AF_INET) failed: 3 Time(s)
>
> [compton ~]$ host 196.201.135.143
> 143.135.201.196.IN-ADDR.ARPA domain name pointer 196-201-135-143.iwayafrica.com
> [compton ~]$ host 196-201-135-143.iwayafrica.com
> Host not found.
> [compton ~]$
>
> Hey - you're lucky they've figured out how to create a PTR record in
> their DNS. Just because it doesn't point to a name with an A record...
>
>> and I'm getting a lot of them. Line 2305 of hosts.deny is;
>>
>> ALL: 83.72.199.48.ip.tele2adsl.dk
>
> You may want to read the documentation that comes with tcp_wrappers,
> specifically the man page (man 5 hosts_access). Read specifically
> the section "ACCESS CONTROL FILES". I find it useful to keep 'names'
> out of these files - because you're assuming that everyone has properly
> set up A and PTR records in their DNS that match (as you see here, this
> isn't always the case). As regards the line number, I can't recall
> if tcp_wrappers/libwrap starts counting from line zero or one.
>
> Old guy
Thanks, that name problem is coming from denyhosts. I think I'm going
to have to talk to them about that.
Thanks for the response.
--
Knute Johnson
email s/nospam/knute2008/
--
Posted via NewsDemon.com - Premium Uncensored Newsgroup Service
------->>>>>>http://www.NewsDemon.com<<<<<<------
Unlimited Access, Anonymous Accounts, Uncensored Broadband Access
|
|
|
0
|
|
|
|
Reply
|
nospam8071 (917)
|
7/22/2008 1:27:48 AM
|
|
On 7/21/2008 8:27 PM, Knute Johnson wrote:
> That's why I have the denyhosts running, because I need to ssh into the
> box from IPs that I don't know before I leave.
That's why I like to close down SSH port 22 to known hosts and run SSH
elsewhere on a high port too. That way when I'm out and about I can SSH
to the high port and I don't have to worry about skript kiddies on my
main SSH port.
Grant. . . .
|
|
|
0
|
|
|
|
Reply
|
 gtaylor (1357)
|
7/22/2008 3:34:47 AM
|
|
On Mon, 21 Jul 2008, in the Usenet newsgroup comp.mail.sendmail, in article
<48853796$0$4043$b9f67a60@news.newsdemon.com>, Knute Johnson wrote:
>Moe Trin wrote:
>My mistake, the server box is still running F8, so I think that is the
>correct sendmail.
As of Saturday night, it was the latest FC8 update.
>> Are you a world traveler, or do you have users authorized to log into
>> your system from every IP address in the world? You'll find you will
>> waste less CPU cycles by configuring your firewall to only allow
>> connections to your SSH server from IP addresses you actually expect
>> may have a legitimate reason to connect. For me, that means allowing
>> just 1536 IP addresses (a /22 and two /24s) out of the 2676890800 IPv4
>> addresses in current use in the entire world.
>That's why I have the denyhosts running, because I need to ssh into the
>box from IPs that I don't know before I leave.
http://www.iana.org/assignments/ipv4-address-space
If you must leave it wide open, I _strongly_ agree with Grant that you
move the server to some high port number over roughly 1100, and not one
of the commonly used ones (see the nmap package that is part of FC8).
Before you think "SECURITY THROUGH OBSCURITY!" remember that moving
the server location in no way changes the authentication mechanisms
you have in place - you still need a valid username and password to
get in. What it _does_ do is to raise a trivial barrier to the skript
kiddiez and 'bots that know that SSH servers only exist on port 22.
There are even stronger concepts like 'port knocking' where the remote
has to send a packet to a specific _closed_ port which causes the
firewall to temporarily open some other port (where the SSH server is
actually waiting) to that specific address. This mechanism is a strong
defense against port-scanning, BUT may be more work than is needed or
desired ("KISS" = Keep It Simple, Stupid!").
>Thanks, that name problem is coming from denyhosts. I think I'm going
>to have to talk to them about that.
Depending on hostnames for security (except where the lack of an
appropriate 'A' or 'PTR' record is grounds for blocking) is usually a
bad idea. The man page for tcp_wrappers (man 5 hosts_access) provides
two 'wildcard' entries (KNOWN and UNKNOWN), but Prof. Venema warns in
the descriptions of possible problems due to name resolution mis-cues.
There is also a 'PARANOID' wildcard that _could_ be useful for some
services, but would trigger on 'generic' 'PTR' names like the two you
posted (196-201-135-143.iwayafrica.com and 83.72.199.48.ip.tele2adsl.dk
which may not have matching 'A' records).
I've always felt that "reactionary" programs (programs that react to
perceived events) are less useful than common sense. It used to be a
childish h4X0r trick to send packets to their "friend's" computer that
spoofed "attacks" from the DNS server or gateway that the "friend" was
using. This is much less common today, but the concept remains.
Old guy
|
|
|
0
|
|
|
|
Reply
|
ibuprofin2 (2555)
|
7/22/2008 7:55:33 PM
|
|
Moe Trin wrote:
> If you must leave it wide open, I _strongly_ agree with Grant that you
> move the server to some high port number over roughly 1100, and not one
> of the commonly used ones (see the nmap package that is part of FC8).
> Before you think "SECURITY THROUGH OBSCURITY!" remember that moving
> the server location in no way changes the authentication mechanisms
> you have in place - you still need a valid username and password to
> get in. What it _does_ do is to raise a trivial barrier to the skript
> kiddiez and 'bots that know that SSH servers only exist on port 22.
> There are even stronger concepts like 'port knocking' where the remote
> has to send a packet to a specific _closed_ port which causes the
> firewall to temporarily open some other port (where the SSH server is
> actually waiting) to that specific address. This mechanism is a strong
> defense against port-scanning, BUT may be more work than is needed or
> desired ("KISS" = Keep It Simple, Stupid!").
>
>> Thanks, that name problem is coming from denyhosts. I think I'm going
>> to have to talk to them about that.
>
> Depending on hostnames for security (except where the lack of an
> appropriate 'A' or 'PTR' record is grounds for blocking) is usually a
> bad idea. The man page for tcp_wrappers (man 5 hosts_access) provides
> two 'wildcard' entries (KNOWN and UNKNOWN), but Prof. Venema warns in
> the descriptions of possible problems due to name resolution mis-cues.
> There is also a 'PARANOID' wildcard that _could_ be useful for some
> services, but would trigger on 'generic' 'PTR' names like the two you
> posted (196-201-135-143.iwayafrica.com and 83.72.199.48.ip.tele2adsl.dk
> which may not have matching 'A' records).
>
> I've always felt that "reactionary" programs (programs that react to
> perceived events) are less useful than common sense. It used to be a
> childish h4X0r trick to send packets to their "friend's" computer that
> spoofed "attacks" from the DNS server or gateway that the "friend" was
> using. This is much less common today, but the concept remains.
>
> Old guy
Thanks for the information.
I'm really not worried about my ssh server. I'm using public key
authentication and the odds of the script kiddies getting in is
infinitesimal.
What I really wanted to understand and still don't is what the error
message means and where was it generated. Did tcpwrappers fail to
authorize the connection and report the warning or did they actually
connect to my mail server. Or did tcpwrappers blow up when it found an
address it couldn't verify.
Thanks,
--
Knute Johnson
email s/nospam/knute2008/
--
Posted via NewsDemon.com - Premium Uncensored Newsgroup Service
------->>>>>>http://www.NewsDemon.com<<<<<<------
Unlimited Access, Anonymous Accounts, Uncensored Broadband Access
|
|
|
0
|
|
|
|
Reply
|
nospam8071 (917)
|
7/22/2008 9:40:12 PM
|
|
On Tue, 22 Jul 2008, in the Usenet newsgroup comp.mail.sendmail, in article
<488653bc$0$4050$b9f67a60@news.newsdemon.com>, Knute Johnson wrote:
>Moe Trin wrote:
>> If you must leave it wide open, I _strongly_ agree with Grant that you
>> move the server to some high port number over roughly 1100, and not one
>> of the commonly used ones (see the nmap package that is part of FC8).
>I'm really not worried about my ssh server. I'm using public key
>authentication and the odds of the script kiddies getting in is
>infinitesimal.
Then why are you worrying about blocking skript kiddiez and bots?
>What I really wanted to understand and still don't is what the error
>message means and where was it generated. Did tcpwrappers fail to
>authorize the connection and report the warning or did they actually
>connect to my mail server. Or did tcpwrappers blow up when it found
>an address it couldn't verify.
It's 'libwrap' rather than tcpwrappers, but yes that would appear to
be the problem.
Old guy
|
|
|
0
|
|
|
|
Reply
|
ibuprofin2 (2555)
|
7/23/2008 8:06:31 PM
|
|
|
8 Replies
41 Views
(page loaded in 0.111 seconds)
|
Search |
Post Question |
Groups |
Stream |
About |
Register
13549 articles. 
1 followers. 