Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

sshd connection problems with superhosts.deny & hosts #588

Open
georgengelmann opened this issue Jul 16, 2020 · 13 comments
Open

sshd connection problems with superhosts.deny & hosts #588

georgengelmann opened this issue Jul 16, 2020 · 13 comments
Assignees
Labels
false positive all false positive review requests

Comments

@georgengelmann
Copy link

I tried the superhosts.deny and the hosts file on a Debian 10 Server.
Now I have locked myself out. I tried different ssh clients & VPN to check, but the server is causing the connection problem.

Linux ssh error: "read: connection reset by peer"
Putty / Kitty error: "Software caused connection abort"

@georgengelmann georgengelmann added the false positive all false positive review requests label Jul 16, 2020
@spirillen
Copy link
Contributor

Hey @georgengelmann have you checked that your own IP address isn't in the list??

It could be related to this issue #580 (comment) by @ZerooCool

Alternatively if you dare you can sent me the login info to the server over keybase.io and I can see if I can help you, the case is the error responses you get easily can be a unstable connection, rather than a actual server issue.

A tremendous huge deny.hosts file isn't usual a problem on *nix systems

@georgengelmann
Copy link
Author

have you checked that your own IP address isn't in the list??

Yes and I tried connecting via VPN

@spirillen
Copy link
Contributor

That one could easily be in the list as well 😏 as many VPN's are listed there, as the criminals abuses them.

Do you have a friend or someone else in your neighborhood you could give a quick visit to lent there internet to try to connect from there?

It is a hunch, but I feel it is in your IP you should seek the problem

@georgengelmann
Copy link
Author

georgengelmann commented Jul 16, 2020

I searched for my IP in the hosts.deny file and the IP file and it's not there.

I can connect to other ssh servers from here.

I also tried to connect to my server from another server.

@spirillen
Copy link
Contributor

OK that's bad then 😒 is it a VPS server with a little number of vRam and vCPU? if, try to rise the values of those as a list of this size would require at least >2GB Ram and >2 vCPU otherwise the timeout would uccure because it can cashed the list and it is taking to long to scout true the list for every connection attempt.

@georgengelmann
Copy link
Author

georgengelmann commented Jul 17, 2020

Technically, Linux can handle the hosts file, but the superhosts.deny is a problem for SSH (I could login via an admin panel)

sudo rm -rf /etc/hosts.deny => sshd connection works again

The affected system has 110GB RAM and 24 CPU cores.

@spirillen
Copy link
Contributor

spirillen commented Jul 17, 2020

That's one big moth..... But something else that stroked me....

Why on earth isn't you using NFTABLES on a d.10 box?

NfTables can handle both IPv4/IPv6 AND domain names!!! The trick is to read the data in as array to keep it fast, not as in IPTables as one record = one rule

But the best tool you can chose to that box is defiantly powerdns.com recursor https://www.powerdns.com/recursor.html and then use the RPZ zones https://www.mypdns.org/w/rpzlist/ There is also a converted edition of the UHB list on GL https://gitlab.com/my-privacy-dns/external-sources/hosts-sources/-/tree/master/data/mitchellkrogza

GitLab
Script to keep lists of external hosts sources up to date in a raw `domain.tld` format for easier manipulating date from external sources

@georgengelmann
Copy link
Author

Is it easy to configure? Download + add RPZ file?

@spirillen
Copy link
Contributor

spirillen commented Jul 17, 2020

Depends... how well do you understand the concept of the DNS hierarchic?

But yes, it's easy and rather self maintained 😄

If you chooses to go for the pdns-recursor, then you'll find a lot of help on there IRC channel almost from the install level.
(For my opinion the pdns recursor is by far the best, as it is build to manipulate queries by lua scripting)

For getting the idea of how the records is written you can look at this cheat-sheet I made. https://mypdns.org/mypdns/support/-/wikis/RPZ-record-types

This is my /etc/powerdns/recursor.lua

-- Load DNSSEC root keys from dns-root-data package.
-- Note: If you provide your own Lua configuration file, consider
-- running rootkeys.lua too.
dofile("/usr/share/pdns-recursor/lua-config/rootkeys.lua")

rpzMaster(
        {"95.216.166.138", "195.201.225.97"},
        "rpz.urlhaus.abuse.ch",
        {refresh="360", axfrTimeout="600", 
        zoneSizeHint="900",
        dumpFile="/var/lib/pdns-recursor/urlhaus",
        seedFile="/var/lib/pdns-recursor/urlhaus"}
)

rpzMaster(
        {"[2a01:4f9:c010:2166::53]:53","[2a01:4f8:1c1c:abe4::53]:53"},
        "whitelist.mypdns.cloud",
        {refresh="600", axfrTimeout="600"}
)

rpzMaster(
        {"[2a01:4f9:c010:2166::53]:53",
        "[2a01:4f8:1c1c:abe4::53]:53"
        },
        "rpz.mypdns.cloud",
        {refresh="120",
        axfrTimeout="600",
        zoneSizeHint="650000"}
)

rpzMaster(
        {"[2a01:4f9:c010:2166::53]:53",
        "[2a01:4f8:1c1c:abe4::53]:53"
        },
        "adware.mypdns.cloud",
        {refresh="120",
        axfrTimeout="600",
        zoneSizeHint="650000"}
)

rpzMaster(
        {"[2a01:4f9:c010:2166::53]:53","[2a01:4f8:1c1c:abe4::53]:53"},
        "typosquatting.mypdns.cloud",
        {refresh="600", axfrTimeout="600"}
)

rpzMaster(
        {"[2a01:4f9:c010:2166::53]:53","[2a01:4f8:1c1c:abe4::53]:53"},
        "drop.ip.dtq",
        {refresh="120"}
)

rpzMaster(
        {"95.216.166.138:5353", "195.201.225.97:5353"},
        "pirated.mypdns.cloud",
        {refresh="120"}
)

You find a somewhat good documentation at https://docs.powerdns.com/

For installation you should go with the PDNS Repo https://repo.powerdns.com/#debian

And when you are ready to switch, kill the forkedup (týes spelling issue here 👿 ) systemd-resolv daemon as it is using the default port 53

And the last advice I can think of up-front: DO MAKE A LOCAL WHITELIST.....

@spirillen
Copy link
Contributor

Hi @georgengelmann How did it go with this question? Did you convert to a local resolver or did you stick to the host.deny file?

@amastelek
Copy link

Yes, I was also locked out using the deny list. I'm using fail2ban which seems to do a good job and you can create permanent jails.

@funilrys
Copy link
Member

funilrys commented Jul 9, 2021

Is this still an issue? I can't reproduce this on my network components... 😞

@spirillen
Copy link
Contributor

Is this still an issue? I can't reproduce this on my network components... disappointed

Have you tested on a slow 5400 rpm spinel disk.... disk I/O is in play on both hosts and deny/allow?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
false positive all false positive review requests
Projects
Development

No branches or pull requests

5 participants