Secrets of SSH Login Denial

25 08 2008

Today I made the mistake of trying to ssh into my remote server as root.  We’ve set the server up to reject direct logins as root, as a security precaution.  Not a big deal, right?  I’ll just ssh in as myself and use sudo to get root privileges.

Nuh-uh.  The problem is that I my server runs a nifty daemon called “denyhosts” that scans my auth.log file for IPs that have been denied access once, and thereafter blocks them completely by adding the IP to /etc/hosts.deniedssh.  Not a problem, I thought, I’ll just login indirectly, through a different remote machine, clear all records of that IP from auth.log and from /etc/hosts.deniedssh.

Nuh-uh.  That worked for about a minute, and then my real IP was blocked again.  Google searches were unproductive, and I had the sad feeling that I had been through this experience with denyhosts once before, and failed.  At least this time around it didn’t take hours before I discovered the existence of the helpful daemon that was denying me access.

Then, somehow, I stumbled onto this posting that reveals denyhosts has its own cache (/usr/local/share/denyhosts/data on my system).  I stopped the daemon, cleared all the lines containing the IP in question (in the file /usr/local/share/denyhosts/data/offset I actually cleared the line below my IP as well; it just contained an integer that appeared to be paired with the line above it), and restarted the daemon.  Then I also removed the IP from /etc/hosts.deniedssh.  Presto, it worked!

Why was this information so hard to find?  I don’t know, but I hope this posting will help.