How to un-deny a host blocked by denyhosts
We had a little crisis Friday when our server suddenly stopped accepting ssh connections.
The problem turned out to be denyhosts, a program that looks for things like failed login attempts and blacklists IP addresses.
But why was our own IP blacklisted? It was apparently because I'd been experimenting with a program called mailsync, which used to be a useful program for synchronizing IMAP folders with local mail folders. But at least on Debian, it has broken in a fairly serious way, so that it makes three or four tries with the wrong password before it actually uses the right one that you've configured in .mailsync. These failed logins are a good way to get yourself blacklisted, and there doesn't seem to be any way to fix mailsync or the c-client library it uses under the covers.
Okay, so first, stop using mailsync. But then how to get our IP off the server's blacklist? Just editing /etc/hosts.deny didn't do it -- the IP reappeared there a few minutes later.
A web search found lots of solutions -- you have to edit a long list of files, but no two articles had the same file list. It appears that it's safest to remove the IP from every file in /var/lib/denyhosts.
So here are the step by step instructions.
First, shut off the denyhosts service:
service denyhosts stop
Go to /var/lib/denyhosts/ and grep for any file that includes your IP:
grep aa.bb.cc.dd *
(If you aren't sure what your IP is as far as the outside world is concerned, Googling what's my IP will helpfully tell you, as well as giving you a list of other sites that will also tell you.)
Then edit each of these files in turn, removing your IP from them (it will probably be at the end of the file).
When you're done with that, you have one more file to edit: remove your IP from the end of /etc/hosts.deny
You may also want to add your IP to /etc/hosts.allow, but it may not make much difference, and if you're on a dynamic IP it might be a bad idea since that IP will eventually be used by someone else.
Finally, you're ready to re-start denyhosts:
service denyhosts start
Whew, un-blocked. And stay away from mailsync. I wish I knew of a program that actually worked to keep IMAP and mbox mailboxes in sync.
[ 12:59 Jun 26, 2016 More linux | permalink to this entry | ]
![[RSS feed]](https://shallowsky.com/images/logos/rssicon-25x25.png){kind=small}
![[Twitter]](https://shallowsky.com/images/logos/twitter-bird-white-on-blue-25x25.png){kind=small}
![[envelope]](https://shallowsky.com/images/logos/envelope-25x25.png){kind=small}