Hello Jonathan,
Michael is correct. DenyHosts depends on the log message to determine if
a user is valid or not. For instance:
... sshd[4513]: Failed password for invalid user cross from 200.35.167.66 port
50408 ssh2
In the above example "cross" is invalid based on the message context.
Regards,
Phil
On Tue, 11 Apr 2006, Michael Weber wrote:
Good morning Jon.
Jonathan C. Detert <[EMAIL PROTECTED]> 04/11 8:43 AM >>>
I haven't used or installed denyhosts yet. I'd like to, but I need to
know how the software determines that a given failed login attempt
failed due to being for an 'invalid user'. Somewhere on the website,
either the faq or the home page, mention is made
that the determination is made based on a lookup in /etc/passwd. I hope
that's only part of the story. I have boxen using nss_ldap and pam_ldap,
so the end users who are logging in are not actually in /etc/passwd. I
need to be sure that denyHosts isn't going to consider all failed login
attempt to be made by invalid-users.
So, does denyHosts honor nsswitch.conf?
Denyhosts looks at the log files for failed login attempts, either
/var/log/messages or /var/log/secure, depending on your system.
It doesn't grab the login stream and compare it against /etc/passwd, or
anything else.
That being the case, as long as the error strings show up in a log file
somewhere, Denyhosts can see it and act upon it.
I'm dinging 1-2 attacks an hour right now, and I'm pretty happy with it.
-Michael
E-MAIL CONFIDENTIALITY NOTICE: This communication and any associated
file(s) may contain privileged, confidential or proprietary
information or be protected from disclosure under law ("Confidential
Information"). Any use or disclosure of this Confidential Information,
or taking any action in reliance thereon, by any individual/entity
other than the intended recipient(s) is strictly prohibited. This
Confidential Information is intended solely for the use of the
individual(s) addressed. If you are not an intended recipient, you
have received this Confidential Information in error and have an
obligation to promptly inform the sender and permanently destroy,
in its entirety, this Confidential Information (and all copies
thereof). E-mail is handled in the strictest of confidence by
Allied National, however, unless sent encrypted, it is not a secure
communication method and may have been intercepted, edited or
altered during transmission and therefore is not guaranteed.
-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
_______________________________________________
Denyhosts-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/denyhosts-user
--
Regards,
Phil Schwartz
- http://www.phil-schwartz.com
Open Source Projects:
- DenyHosts: http://www.denyhosts.net
- Kodos: http://kodos.sourceforge.net
- ReleaseForge: http://releaseforge.sourceforge.net
- Scratchy: http://scratchy.sourceforge.net
- FAQtor: http://faqtor.sourceforge.net
-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
_______________________________________________
Denyhosts-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/denyhosts-user
