sshd connection problems with superhosts.deny & hosts

[georgengelmann]

I tried the superhosts.deny and the hosts file on a Debian 10 Server.
Now I have locked myself out. I tried different ssh clients & VPN to check, but the server is causing the connection problem.

Linux ssh error: "read: connection reset by peer"
Putty / Kitty error: "Software caused connection abort"

[spirillen]

Hey @georgengelmann have you checked that your own IP address isn't in the list??

It could be related to this issue #580 (comment) by @ZerooCool

Alternatively if you dare you can sent me the login info to the server over keybase.io and I can see if I can help you, the case is the error responses you get easily can be a unstable connection, rather than a actual server issue.

A tremendous huge deny.hosts file isn't usual a problem on *nix systems

[georgengelmann]

have you checked that your own IP address isn't in the list??

Yes and I tried connecting via VPN

[spirillen]

That one could easily be in the list as well 😏 as many VPN's are listed there, as the criminals abuses them.

Do you have a friend or someone else in your neighborhood you could give a quick visit to lent there internet to try to connect from there?

It is a hunch, but I feel it is in your IP you should seek the problem

[georgengelmann]

I searched for my IP in the hosts.deny file and the IP file and it's not there.

I can connect to other ssh servers from here.

I also tried to connect to my server from another server.

[spirillen]

OK that's bad then 😒 is it a VPS server with a little number of vRam and vCPU? if, try to rise the values of those as a list of this size would require at least >2GB Ram and >2 vCPU otherwise the timeout would uccure because it can cashed the list and it is taking to long to scout true the list for every connection attempt.

[georgengelmann]

Technically, Linux can handle the hosts file, but the superhosts.deny is a problem for SSH (I could login via an admin panel)

sudo rm -rf /etc/hosts.deny => sshd connection works again

The affected system has 110GB RAM and 24 CPU cores.

[spirillen]

That's one big moth..... But something else that stroked me....

Why on earth isn't you using NFTABLES on a d.10 box?

NfTables can handle both IPv4/IPv6 AND domain names!!! The trick is to read the data in as array to keep it fast, not as in IPTables as one record = one rule

But the best tool you can chose to that box is defiantly powerdns.com recursor https://www.powerdns.com/recursor.html and then use the RPZ zones https://www.mypdns.org/w/rpzlist/ There is also a converted edition of the UHB list on GL https://gitlab.com/my-privacy-dns/external-sources/hosts-sources/-/tree/master/data/mitchellkrogza

Welcome to PowerDNS

⚡ RPZ List

GitLab

data/mitchellkrogza · master · My Privacy DNS Firewall / External Sources / hosts sources

Script to keep lists of external hosts sources up to date in a raw `domain.tld` format for easier manipulating date from external sources

[georgengelmann]

Is it easy to configure? Download + add RPZ file?

[spirillen]

Depends... how well do you understand the concept of the DNS hierarchic?

But yes, it's easy and rather self maintained 😄

If you chooses to go for the pdns-recursor, then you'll find a lot of help on there IRC channel almost from the install level.
(For my opinion the pdns recursor is by far the best, as it is build to manipulate queries by lua scripting)

For getting the idea of how the records is written you can look at this cheat-sheet I made. https://mypdns.org/mypdns/support/-/wikis/RPZ-record-types

This is my /etc/powerdns/recursor.lua

-- Load DNSSEC root keys from dns-root-data package.
-- Note: If you provide your own Lua configuration file, consider
-- running rootkeys.lua too.
dofile("/usr/share/pdns-recursor/lua-config/rootkeys.lua")

rpzMaster(
        {"95.216.166.138", "195.201.225.97"},
        "rpz.urlhaus.abuse.ch",
        {refresh="360", axfrTimeout="600", 
        zoneSizeHint="900",
        dumpFile="/var/lib/pdns-recursor/urlhaus",
        seedFile="/var/lib/pdns-recursor/urlhaus"}
)

rpzMaster(
        {"[2a01:4f9:c010:2166::53]:53","[2a01:4f8:1c1c:abe4::53]:53"},
        "whitelist.mypdns.cloud",
        {refresh="600", axfrTimeout="600"}
)

rpzMaster(
        {"[2a01:4f9:c010:2166::53]:53",
        "[2a01:4f8:1c1c:abe4::53]:53"
        },
        "rpz.mypdns.cloud",
        {refresh="120",
        axfrTimeout="600",
        zoneSizeHint="650000"}
)

rpzMaster(
        {"[2a01:4f9:c010:2166::53]:53",
        "[2a01:4f8:1c1c:abe4::53]:53"
        },
        "adware.mypdns.cloud",
        {refresh="120",
        axfrTimeout="600",
        zoneSizeHint="650000"}
)

rpzMaster(
        {"[2a01:4f9:c010:2166::53]:53","[2a01:4f8:1c1c:abe4::53]:53"},
        "typosquatting.mypdns.cloud",
        {refresh="600", axfrTimeout="600"}
)

rpzMaster(
        {"[2a01:4f9:c010:2166::53]:53","[2a01:4f8:1c1c:abe4::53]:53"},
        "drop.ip.dtq",
        {refresh="120"}
)

rpzMaster(
        {"95.216.166.138:5353", "195.201.225.97:5353"},
        "pirated.mypdns.cloud",
        {refresh="120"}
)

You find a somewhat good documentation at https://docs.powerdns.com/

For installation you should go with the PDNS Repo https://repo.powerdns.com/#debian

And when you are ready to switch, kill the forkedup (týes spelling issue here 👿 ) systemd-resolv daemon as it is using the default port 53

And the last advice I can think of up-front: DO MAKE A LOCAL WHITELIST.....

⚡ RPZ records

PowerDNS Documentation

PowerDNS repositories

[spirillen]

Hi @georgengelmann How did it go with this question? Did you convert to a local resolver or did you stick to the host.deny file?

[amastelek]

Yes, I was also locked out using the deny list. I'm using fail2ban which seems to do a good job and you can create permanent jails.

[funilrys]

Is this still an issue? I can't reproduce this on my network components... 😞

[spirillen]

Is this still an issue? I can't reproduce this on my network components... disappointed

Have you tested on a slow 5400 rpm spinel disk.... disk I/O is in play on both hosts and deny/allow?