On Tue, Jan 20, 2009 at 3:49 PM, Joshua Murphy <poiso...@gmail.com> wrote: > On Tue, Jan 20, 2009 at 4:33 PM, Paul Hartman > <paul.hartman+gen...@gmail.com> wrote: >> Hi, >> >> After setting up public key authentication i changed my sshd back to >> port 22 and got the expected bombardment of connection attempts. >> However, it doesn't seem to ever stop them. I'm using sshd with this >> setting: >> >> MaxAuthTries 3 >> >> in my /etc/ssh/sshd_config >> >> So, why does it allow unlimited failed login attempts? For example, as >> I write this I'm seeing this in my logs: >> > <snip> >> >> I'm using denyhosts but it seems that it doesn't deny anyone until an >> hour has passed, despite the fact I'm using the daemon which >> constantly monitors the log file... by which time hundreds or >> thousands of attempts can be made. Maybe that's a configuration issue >> on my denyhosts setup, but shouldn't sshd be blocking them in the >> first place? >> >> Thanks, >> Paul > > I'm pretty sure MaxAuthTries 3 does nothing more than disconnect you > after 3 failed connections (meaning all you have to do is reconnect to > keep trying)... it doesn't do any sort of 'intelligent' protection of > the system. DenyHosts worked great for me while I used it, but I also > found that a firewall rule limiting connection attempts to 3 per > source IP per 10 minute period put a big dent in the number of tries > that denyhosts ever even had to see (though they were always enough to > get that source blacklisted, I had things set rather restrictive). > Something I was pointed towards on IRC, in the event that the SSH > server you're running is primarily for your use or the use of > knowledgeable users (fellow admins)... look up Single Packet > Authorization (SPA).
I'm using the online denyhosts synchronization database, I think that may negatively affect how often it blocks hosts locally, because it waits until it does a remote sync to scan the local file. This is my theory. I like the idea of sharing my blocks and taking advantage of the blocks of others, but if it renders the program ineffective against the IP /actively/ attacking my system, then it's pointless. I'm going to turn off the online sharing of denyhosts and see if it makes a difference. Otherwise I guess I need to set up some kind of local firewall on this machine to get any more fine control over the connections. Thanks Paul