Linux – hosts.deny not blocking ip addresses

centoshackingipiptableslinux

I have the following in my /etc/hosts.deny file

#
# hosts.deny    This file describes the names of the hosts which are
#       *not* allowed to use the local INET services, as decided
#       by the '/usr/sbin/tcpd' server.
#
# The portmap line is redundant, but it is left to remind you that
# the new secure portmap uses hosts.deny and hosts.allow.  In particular
# you should know that NFS uses portmap!

ALL:ALL

and this in /etc/hosts.allow

#
# hosts.allow   This file describes the names of the hosts which are
#       allowed to use the local INET services, as decided
#       by the '/usr/sbin/tcpd' server.
#
ALL:xx.xx.xx.xx , xx.xx.xxx.xx , xx.xx.xxx.xxx , xx.x.xxx.xxx , xx.xxx.xxx.xxx

but i am still getting lots of these emails:

Time:     Thu Feb 10 13:39:55 2011 +0000
IP:       202.119.208.220 (CN/China/-)
Failures: 5 (sshd)
Interval: 300 seconds
Blocked:  Permanent Block

Log entries:

Feb 10 13:39:52 ds-103 sshd[12566]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.119.208.220  user=root
Feb 10 13:39:52 ds-103 sshd[12567]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.119.208.220  user=root
Feb 10 13:39:52 ds-103 sshd[12568]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.119.208.220  user=root
Feb 10 13:39:52 ds-103 sshd[12571]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.119.208.220  user=root
Feb 10 13:39:53 ds-103 sshd[12575]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.119.208.220  user=root

whats worse is csf is trying to auto block these ip's when the attempt to get in but although it does put ip's in the csf.deny file they do not get blocked either

So i am trying to block all ip's with /etc/hosts.deny and allow only the ip's i use with /etc/hosts.allow but so far it doesn't seem to work.

right now i'm having to manually block each one with iptables, I would rather it automatically block the hackers in case I was away from a pc or asleep

Best Answer

changed the files to this and it now seems to be working.

will know in a few hours if this solved it or not

#
# hosts.deny    This file describes the names of the hosts which are
#       *not* allowed to use the local INET services, as decided
#       by the '/usr/sbin/tcpd' server.
#
# The portmap line is redundant, but it is left to remind you that
# the new secure portmap uses hosts.deny and hosts.allow.  In particular
# you should know that NFS uses portmap!
ALL: ALL

It seems the colon needs a space after it.

#
# hosts.allow   This file describes the names of the hosts which are
#       allowed to use the local INET services, as decided
#       by the '/usr/sbin/tcpd' server.
ALL: xx.xxx.xx.xx , xx.xxx.xxx.xx , xx.xx.xxx.xxx , xx.x.xxx.xxx , xx.xxx.xxx.xxx
Related Topic