No, you shouldn't need to restart any service that is compiled to use wrappers if you make a wrapper change. I only told him to restart because I thought either --- vsftpd didn't have the tcp_wrappers=yes in the conf when it was started and the option needed to be picked up. --- the user trying to log into his box was actually logged in and had a established connection --- I though it could have been a possibility that the user trying to log into his box was pounding him with enough login attempts that he basically had a open established connection and needed to be disconnected so he can't reconnect. Nick Baronian <div>On 3/29/06, x6d696168 . <<a href="mailto:x6d696168@gmail.com">x6d696168@gmail.com</a>> wrote:<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"> <div style="direction: ltr;">You need to restart vsftpd? This is why iptables is better =) I can only imagine a really busy ftpd getting restarted, booting users, because hosts.deny was updated.. then again really busy ftp sites are probably not using tcpwrappers for security ;) -miah</div><div style="direction: ltr;"> <div>On 3/29/06, Bill Watson <<a href="mailto:bill@magicdigits.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)"> bill@magicdigits.com</a>> wrote:<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"> To all who helped me, thank you!!! This denyhosts offering is interesting, but I have already restricted my ssh to about 4 IP addresses. The tool doesn't focus elsewhere. The magic appears to be the unsuspected need to restart vsftpd to get the new hosts.deny values. Bill Watson <a href="mailto:bill@magicdigits.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">bill@magicdigits.com</a> -----Original Message----- From: <a href="mailto:rhn-users-bounces@redhat.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">rhn-users-bounces@redhat.com </a> [mailto:<a href="mailto:rhn-users-bounces@redhat.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">rhn-users-bounces@redhat.com</a>] On Behalf Of simon elliston ball Sent: Wednesday, March 29, 2006 12:54 AM To: Red Hat Network Users List Subject: Re: [rhn-users] I need help with hosts.deny - doesn't work as Iexpected On the subject of deny.hosts and persistent automated hacking, we've found <a href="http://denyhosts.sourceforge.net/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)"> http://denyhosts.sourceforge.net/</a> very useful. It automates entries in hosts.deny by parsing logs to detect dictionary attacks on ssh etc. simon On Tue, 2006-03-28 at 10:52 -0800, Bill Watson wrote: > I have /etc/hosts.allow that has no entries. I have /etc/hosts.deny > that > has: > > ALL: <a href="http://219.106.229.178" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">219.106.229.178</a> > ALL: <a href="http://72.129.200.46" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)"> 72.129.200.46</a> > ALL: 200.38. > ALL: 64.182. > > >From my readings, I should not be getting any messages from > >200.38.x.x, yet > my /var/log/messages shows: > Mar 28 10:50:36 helmethouse vsftpd(pam_unix)[23790]: check pass; user > unknown Mar 28 10:50:36 helmethouse vsftpd(pam_unix)[23790]: > authentication failure; log > name= uid=0 euid=0 tty= ruser= rhost=<a href="http://200.38.16.6" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">200.38.16.6</a> > Mar 28 10:50:40 helmethouse vsftpd(pam_unix)[23790]: check pass; user > unknown > Mar 28 10:50:40 helmethouse vsftpd(pam_unix)[23790]: authentication failure; > log > name= uid=0 euid=0 tty= ruser= rhost=<a href="http://200.38.16.6" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">200.38.16.6</a> > > And keeps going with a new entry every few seconds. > > Is /etc/hosts.deny properly set up? > Is /etc/hosts.deny immediately active or must some service be > restarted to make it go? Does vsftpd bypass /etc/hosts.deny? > > Thanks! > Bill Watson > <a href="mailto:bill@magicdigits.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)"> bill@magicdigits.com</a> > > > _______________________________________________ > rhn-users mailing list > <a href="mailto:rhn-users@redhat.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)"> rhn-users@redhat.com</a> <a href="https://www.redhat.com/mailman/listinfo/rhn-users" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)"> https://www.redhat.com/mailman/listinfo/rhn-users</a> _______________________________________________ rhn-users mailing list <a href="mailto:rhn-users@redhat.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)"> rhn-users@redhat.com</a> <a href="https://www.redhat.com/mailman/listinfo/rhn-users" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)"> https://www.redhat.com/mailman/listinfo/rhn-users</a> _______________________________________________ rhn-users mailing list <a href="mailto:rhn-users@redhat.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)"> rhn-users@redhat.com</a> <a href="https://www.redhat.com/mailman/listinfo/rhn-users" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)"> https://www.redhat.com/mailman/listinfo/rhn-users</a> </blockquote></div> </div> _______________________________________________ rhn-users mailing list <a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:rhn-users@redhat.com">rhn-users@redhat.com</a> <a onclick="return top.js.OpenExtLink(window,event,this)" href="https://www.redhat.com/mailman/listinfo/rhn-users" target="_blank"> https://www.redhat.com/mailman/listinfo/rhn-users</a> </blockquote></div>