On Wed, 1 Jul 2015 12:41:10 PM Jobst Schmalenbach wrote:
Now the thing is that "hosts.deny" sits before I can see the traffic with tcpdump/ngrep/iptraf, so this makes it a little harder to debug.
No, you should still the initial 3 way handshake (SYN, SYN+ACK, ACK) as that's required to set up the connection that tcp_wrappers is reacting to. Worth capturing traffic with: tshark -w /root/bad-ssh.pcap -i any host 43.255.189.72 The "any" interface is a pseudo interface that will capture traffic coming in on any interface, just in case it's arriving over an unexpected one (a tunnel for instance). Then once you've seen a couple of those deny messages ^C it and read it back with: tshark -r /root/bad-ssh.pcap
- external firewall blocks the entire network of 43.0.0.0/24
Was that meant to be 43.0.0.0/8 instead? It won't match the IP in question otherwise (though I realise that you have other rules that should be blocking the traffic in question). Good luck! Chris -- Chris Samuel : http://www.csamuel.org/ : Melbourne, VIC