During installation, my IP is immediately blacklisted, which cuts my connection

[ZerooCool]

Hello,

Can you tell me why Denyhosts is not available in stable on Debian Buster ?

I installed the SID version.
It seems to work.

It works so well, that during installation, my IP is immediately blacklisted, which cuts my connection.

I had to go through a VPN. I managed to reconnect. I was able to remove my blacklisted IP address, to put it in the whitelist.

Is this behavior normal?
Would i have done wrong?
Should I have created deny.allow first and added my IP address, and only then installed DenyHosts?

wget -c -O denyhosts_2.10-2_all.deb  http://ftp.fr.debian.org/debian/pool/main/d/denyhosts/denyhosts_2.10-2_all.deb

sudo dpkg -i denyhosts_2.10-2_all.deb

Sélection du paquet denyhosts précédemment désélectionné.
Préparation du dépaquetage de denyhosts_2.10-2_all.deb ...
Dépaquetage de denyhosts (2.10-2) ...
Paramétrage de denyhosts (2.10-2) ...
Created symlink /etc/systemd/system/multi-user.target.wants/denyhosts.service → /lib/systemd/system/denyhosts.service.
Traitement des actions différées (« triggers ») pour systemd (241-7~deb10u3) ...

[josev814]

That's a first I've heard of that bug. I would think that it would mean that your ip was marked as spam either by your system, or by our sync server at some point.

That isn't normal behavior, but I also haven't been involved in the project until version 3.x.

Right now we don't have a deb package available for the latest Distros. I'm currently in progress of getting control of the PyPi repo, which will allow us to have users install using python's pip module. After that I get the PyPi version updated, I can look at getting access to DenyHosts major repo's to get the package updated properly within their respective repos.

If you don't mind me asking what is your ip address. I can check to see if it's on any of my boxes as a blocked ip address. I have a custom plugin that records all blocked ip addresses into a different system for graphing and tracking within the company I work for.

[ZerooCool]

I discover the backstage of DenyHosts then, I wonder, is there really a synchronization somewhere, during the installation?

In my case, my hosts.deny file is almost empty, during the installation, only 3 ip are added in a few minutes, including mine.

I have encountered this problem in the past already, on Debian.

I just wrote a tutorial in French, to install Denyhosts from debian, in the right way, that is, by filling in the white list before even installing the package.

Then, I propose the VPN solution, to reconnect if we were kicked out, to delete the IP address from hosts.deny and Iptables also, because, I was added 3 times in Iptables, probably because I was then already in hosts.deny.

This is probably a problem in the Denyhosts version of debian, in SID version, which is less advanced than the version on Github.

I have not yet tested if my method works, first creating a hosts.allow file but I will do it on a second server on which I will install DenyHosts.

I want you to tell me if my IP would be blacklisted, but, this is my public home IP, I don't think it will be blocked. Here's my GPG key if you could email me?
https://www.visionduweb.fr/pubkey.txt

Here is the tutorial in French that I wrote for the installation of DenyHosts 2.10 on Debian Buster: https://wiki.visionduweb.fr/index.php?title=Sommaire_S%C3%A9curit%C3%A9#Installer_le_paquet_DenyHosts

[ZerooCool]

If I enter hosts.allow with my IP address before installing DenyHosts, then I am not banned during a new test on my second server.

On the other hand, I think that it is nevertheless a serious problem to be taken into consideration.

Logically, if DenyHosts is installed, the person installing it should not be immediately ejected.

Logically, the person installing is an authorized administrator.

Logically, the installation takes place from a legitimate location, in any case, legitimizes the time of the installation, therefore, it is not normal for the administrator to be ejected.

I have no opinion on the resolution, but, I wanted to share this experience which seemed to me not to be normal.

user@serveur:~$ sudo dpkg -i denyhosts_2.10-2_all.deb

Sélection du paquet denyhosts précédemment désélectionné.
Préparation du dépaquetage de denyhosts_2.10-2_all.deb ...
Dépaquetage de denyhosts (2.10-2) ...
Paramétrage de denyhosts (2.10-2) ...
Created symlink /etc/systemd/system/multi-user.target.wants/denyhosts.service → /lib/systemd/system/denyhosts.service.
Traitement des actions différées (« triggers ») pour man-db (2.8.5-2) ...
Traitement des actions différées (« triggers ») pour systemd (241-7~deb10u3) ...

# Now, i can ls after the installation, i have the control.

user@serveur:~$ ls
denyhosts_2.10-2_all.deb

[josev814]

I was just talking to my boss about this project, and he mentioned about having the current ip whitelisted to prevent it from being locked out. Pretty much the issue you're having. I'll get this added to the roadmap, I'm just not sure why your ip is being blocked right off. Have you tried installing the GitHub version on your system? Any time I've been installing denyhosts, I've just been using the GitHub version.

[josev814]

If you want to use a deb file to do your install, I built the rpm and deb packages and put it into the releases section. https://github.com/denyhosts/denyhosts/releases/tag/v3.1

[ZerooCool]

No I used the version of Debian SID.

A colleague from Debian told me, the problem is between the chair and the keyboard, because you have to enter the IP address in the white list, then install DenyHosts.

I do not think it is normal to do so, or else the instructions for use should mention it more clearly.

Most of the tutorials I have read have not talked about this.
For my part, I consider that it is a problem, but, maybe not, it all depends on the cause of this problem and the initial will of the developers.

Me, as a new user, I find it cumbersome to then have to use a VPN to re-enter the system, to remove the file hosts.deny and to add to hosts.allow.

In addition, it was not enough, I had to redo it 3 can be even 4 times, and also remove myself from iptables, which had added me several times (3 times). That done, I was supposed to be good, and, I was blocked again. I had to start over again. After removing myself from blacklists and Iptables, I restarted denyhosts.

Now it looks good to me, I can log in normally, with the denyhosts version of Debian SID.

The good way for install DenyHosts with the .deb from Debian SID :
https://wiki.visionduweb.fr/index.php?title=Sommaire_S%C3%A9curit%C3%A9#Installer_DenyHosts_depuis_le_paquet_.deb_de_la_version_SID_de_Debian

[ZerooCool]

Ok for the last deb, i add it to my wiki : https://wiki.visionduweb.fr/index.php?title=Sommaire_S%C3%A9curit%C3%A9#Installer_DenyHosts_depuis_le_d.C3.A9p.C3.B4t_officiel_sur_Github

[josev814]

I do agree that whitelisting the current ip should be part of the project

I looked over your wiki. Should this section be updated to not use DenyHosts 2.10, since it's outdated?

https://wiki.visionduweb.fr/index.php?title=Sommaire_S%C3%A9curit%C3%A9#Installer_DenyHosts_depuis_le_paquet_.deb_de_la_version_SID_de_Debian

[ZerooCool]

Yes and no, because, we are talking about the Debian SID repository here, since in the stable Debian Buster repository, DenyHosts is not present.

The only reference to DenyHosts, from the Debian project, seems to refer to the SID version, which is effectively obsolete.

https://packages.debian.org/fr/sid/denyhosts

So I still presented the installation of DenyHosts using the Debian SID repository, to stick to the distribution.

In the next step, I propose to install DenyHosts from Github, and, I added the link to the repository of the .deb file that you proposed to me.

[josev814]

Can you test this code out on your box? It's working on my local machine to return the ipv4 address. I just want to verify it would work for you as well.

Also, I'm not finding your ip address in my banned list, so I'm not sure why Denyhosts 2.10 is banning you. I did see that there were a bunch of bugs according to Debian that needed to be resolved. So, I'll work on getting their bugs put into here, and then writing Unit Tests to resolve the bugs they had issues with.

I'm not sure I'll be able to get Denyhosts added though, since they feel it's competing with Fail2Ban.

from requests import get
ip = get('https://api.ipify.org').text
print(ip)

[ZerooCool]

from requests import get
from: trop d'arguments
user@server:~$ ip = get('https://api.ipify.org').text
-bash: erreur de syntaxe près du symbole inattendu « ( »
user@server:~$ print(ip)
-bash: erreur de syntaxe près du symbole inattendu « ip »

With shell bash

who | awk '{ print $5 }' | sed 's/^.\{1\}\(.*\).\{1\}$/\1/'
xx.xx.xxx.xx

myip=$(who | awk '{ print $5 }' | sed 's/^.\{1\}\(.*\).\{1\}$/\1/')
user@serveur:~$ echo $myip

Then, this ip need to be added in hosts.allow

In my opinion, this should be done during the installation of Denyhosts, automatically, because, the administrator is normally performing its installation from a coherent place, in any case, coherent at the time of installation.
This will prevent him from immediately losing his connection to the server.

Is it more advisable to take the risk of firing the administrator of his server during the installation, or to ask him to check the hosts.allow file AFTER the installation?

Constraining the configuration of hosts.allow BEFORE installation does not seem to me to be the right approach.

[josev814]

I agree that it should be done during the setup. Part of the reason I sent you the code I did to help validate that it would pull your public IP.

I saw that you ran it in bash, but the code I sent should've been run in python

[ZerooCool]

python ip.py
Traceback (most recent call last):
  File "ip.py", line 1, in <module>
    from requests import get
ImportError: No module named requests

sudo apt-get install python-requests

python ip.py
xxx.xx.xxx.xxx

I think it's not good.
It's the Server IP, it's not my publique user IP, from my Box.
I use a VPS then my server is not to my home but in a OVH datacenter.

[ZerooCool]

import os
print os.getenv("SSH_CONNECTION")       #works
print os.environ.get("SSH_CONNECTION")  #works

#sudo python:
import os
print os.getenv("SSH_CONNECTION")       #not set
print os.environ.get("SSH_CONNECTION")  #not set

Use sudo -E then this script work with sudo and i can see my IP from my box ( ip public ).
But, with this script, i have 3 informations : The_Good_IP A_Pid? The_Server_IP

print os.environ.get("SSH_CONNECTION").split()[0]

Return the good ip ( IP client SSH )

python ip.py # Work
sudo -E python ip.py # Work

sudo python ip.py # Not Work and write :

Traceback (most recent call last):
  File "ip.py", line 12, in <module>
    print os.environ.get("SSH_CONNECTION").split()[0]
AttributeError: 'NoneType' object has no attribute 'split'

[josev814]

Unfortunately that wouldn't work for everyone, since services such as AWS don't disclose the public IP on the box itself. They only display the private address space.

[ZerooCool]

Another solution would be to pause the installation, and ask the user to add himself to the whitelist before continuing?

[josev814]

That might be the better solution. Have the whitelist file created and prompt the user to add their ip to the file, and not allow the program to start until the file has one ip address in it.

[ZerooCool]

With debian I discovered that the hosts.allow file exists by default. Optionally, offer input directly from the prompt, during installation.

[josev814]

@ZerooCool Can you give the branch bug_128 a whirl? I tested it out on my end, and it's populating the allowed_hosts file.

I load existing entries in the allowed_hosts file using the AllowedHosts class. Then I give the option to query 6 different sites to check what the public ip is. Then I ask for a comma-delimited list of ips to add to the list. The returned ip(s) are then written to the allowed_hosts file, and it's output what ip addresses are added to the allowed_hosts file

This is working for me to automatically detect the public on my home computer along with on AWS and Rackspace boxes.

[ZerooCool]

I look ASAP.

[ZerooCool]

With .deb 3.1.2-2 and Debian Buster new VPS from LWS, for test :

sudo wget -c -O denyhosts_3.1.2-2_all.deb https://github.com/denyhosts/denyhosts/releases/download/v3.1/denyhosts_3.1.2-2_all.deb
sudo dpkg -i denyhosts_3.1.2-2_all.deb

sudo systemctl start denyhosts.service
Failed to start denyhosts.service: Unit denyhosts.service not found.

From git clone from the branch bug_128 , look this issue #143

[josev814]

@ZerooCool this bug looks to be resolved. Can you verify and close it, if it is?

[ZerooCool]

I have test the bug_128 and, this command :
pip install requirements.txt

But :
Could not install packages due to an EnvironmentError: 404 Client Error: Not Found for url: https://pypi.org/simple/requirements-txt/

Add auto my IP not work for me.
I have make a stream, but, a wrong stream. The next time for a good stream.

When i install :
I have say Y
And, i have add a second IP 123.123.123.123

0 IP was added in hosts.allow

[josev814]

The requirements install should be pip install -r requirements.txt

[ZerooCool]

I up the debian documentation for this command.
I test for a new installation on a VM Debian local, but, not a VPS for this new test.
Ok for this command : pip install -r requirements.txt

https://pastebin.com/HyM3ivT3

But, the same message if i want enable :

sudo systemctl enable denyhosts
Synchronizing state of denyhosts.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable denyhosts
update-rc.d: error: denyhosts Default-Start contains no runlevels, aborting.

Another problem, on the master branch, I don't know why I encountered this problem.
Maybe because I installed on an existing DenyHosts which is not very smart.
In any case, I ended up with the Failed to start SSH log watcher error and DenyHosts does not start.

denyhosts.py[16301]: INFO:prefs:   SYNC_DOWNLOAD: [yes]
denyhosts.py[16301]: INFO:prefs:   SYNC_DOWNLOAD_RESILIENCY: [28800]
denyhosts.py[16301]: INFO:prefs:   SYNC_DOWNLOAD_THRESHOLD: [4]
denyhosts.py[16301]: INFO:prefs:   SYNC_INTERVAL: [3600]
denyhosts.py[16301]: INFO:prefs:   SYNC_SERVER: [http://xmlrpc.denyhosts.net:9911]
denyhosts.py[16301]: INFO:prefs:   SYNC_UPLOAD: [yes]
denyhosts.py[16301]: INFO:prefs:   SYSLOG_REPORT: [YES]
denyhosts.py[16301]: INFO:prefs:   WORK_DIR: [/var/lib/denyhosts]
denyhosts.py[16301]: Traceback (most recent call last):
denyhosts.py[16301]:   File "/usr/local/bin/denyhosts.py", line 174, in <module>
denyhosts.py[16301]:     if prefs.get('SYNC_SERVER') and (is_true(prefs.get('SYNC_VERSION')) or prefs.get('SYNC_VERSION') is None):
denyhosts.py[16301]:   File "/usr/share/denyhosts/DenyHosts/prefs.py", line 216, in get
denyhosts.py[16301]:     return self.__data[name]
denyhosts.py[16301]: KeyError: 'SYNC_VERSION'
systemd[1]: denyhosts.service: Control process exited, code=exited status=1
systemd[1]: Failed to start SSH log watcher.
systemd[1]: denyhosts.service: Unit entered failed state.
systemd[1]: denyhosts.service: Failed with result 'exit-code'.

Finally, you understood, here, I tried to install the master version, on a virtual machine.
Everything seems to have gone well, except for the very last step.
I'm going to start over, uninstalling denyhosts first. I did not realize that I had already installed it.

[ZerooCool]

Ok, i have make a second test, with the master branch, and my documentation.
Now, all is good, exept, this message :

sudo systemctl enable denyhosts
Synchronizing state of denyhosts.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable denyhosts
update-rc.d: error: denyhosts Default-Start contains no runlevels, aborting.

Next, i test the same installation with bug_128

[ZerooCool]

New test for the branch bug_128 from a VM with VirtualBox

Outch, not work !

Would you like us to attempt to detect your public ip? [Y|N] (default Y) y
Traceback (most recent call last):
  File "setup.py", line 98, in <module>
    public_ips = myip.get_remote_ip()
  File "/root/denyhosts/DenyHosts/my_ip.py", line 36, in get_remote_ip
    res = requests.get(remote_parse).text
  File "/usr/local/lib/python2.7/dist-packages/requests/api.py", line 76, in get
    return request('get', url, params=params, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/requests/api.py", line 61, in request
    return session.request(method=method, url=url, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/requests/sessions.py", line 530, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/local/lib/python2.7/dist-packages/requests/sessions.py", line 643, in send
    r = adapter.send(request, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/requests/adapters.py", line 516, in send
    raise ConnectionError(e, request=request)
requests.exceptions.ConnectionError: HTTPSConnectionPool(host='ipchicken.com', port=443): Max retries exceeded with url: / (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0xb6a86a6c>: Failed to establish a new connection: [Errno -5] No address associated with hostname',))

[ZerooCool]

Branch but_128 - Resolved

Please Read, adapt the information message for entering ip addresses.
More specific to explain why this is important !

Would you like us to attempt to detect your public ip? [Y|N] (default Y) y
Add additional ip addresses here to whitelist (ex: 172.202.43.1,172.203.44.2): 123.123.123.123
Adding [u'31.207.38.105', '123.123.123.123'] to /var/lib/denyhosts/allowed-hosts

I have test with the server VPS from LWS.
Now, i can see the 2 ip in the file : /var/lib/denyhosts/allowed-hosts

31.207.38.105
123.123.123.123

But, the first IP 31.207.38.105 is the Server IP, then, is it really necessary to add it ?
In my case, it's not necessary !
The second step it's more advantageous for me, i can add my IP publique, from my internet box !
It is this ip, which is / was blocked at the time of installation.

For my part, I have no need for the first step for IP, it is up to you to see if it is really necessary.
The second step is more important, it should be specified in the message, that it is ESSENTIAL to add your public IP address so as not to be thrown by the DenyHosts system.

Perfect !
But, why use allowed-hosts and not hosts.allow ? It's the same, no ?
What's the diff ?

I don"t have use this method :

# First possibility :
# The daemon-control is added in the /etc/init.d folder :
cd /etc/init.d
sudo ln -s /usr/share/denyhosts/daemon-control denyhosts

I have only use the second possibility, then, i don't have add daemon in /etc/init.d
Now, command enabled Work immediatly !
denyhost start directly with start !
No have error, no have message ! Perfect !

Branch but_128 - Resolved

[josev814]

But, the first IP 31.207.38.105 is the Server IP, then, is it really necessary to add it?
In my case, it's not necessary!

I think it's fine to prevent the server from blocking itself out.
Also, those IPs are what is being returned by external services. I think it is necessary to include the IPs that external services are determining the IP of the box to be whitelisted.

[ZerooCool]

Ok, for me, the update can be done.
You just have to indicate clearly, in the message of the program which proposes to add one or more IP address, that it is possible that we are banned, because, the reason which seems probable and which had been mentioned, is that if there are traces in auth.log which concerns identification failures for our personal IP address, we will end up added to the black list.

If you can summarize this in good English, and include it when proposing to enter our additional IP address, we will better understand what is going on, and why the step is important.

Can also be explained that it is necessary to use the public IP address of the client, of the internet box, in the case of a connection to a remote server.

I think that if any good administrator can do it, mentioning it correctly is not a bad idea.

I'll let you close the issue when you've applied the fix.
Thank you for integrating my request, which will make life easier for new denyhosts users.