Re: [Denyhosts-user] An IP in hosts.deny made 4940 attacks?

[Kenneth Downs]

I think I have figured this out.  It was something very very basic.
The server in question did not have logrotate installed, and the server 
is about 18 months old.  So logwatch apparently goes by Month/Day only, 
and was reporting brute force attacks from the prior year.  That's how I 
could get 4940 attacks from an entry that was already in hosts.deny.



Kenneth Downs wrote:
I hope that I am missing something very basic.  I installed denyhosts 
a couple of weeks ago on a gentoo host.
I like its short-and-sweet approach to getting the job done.  Here is 
the problem in short, there is
an IP # that is already in /etc/hosts.deny, but yesterday this IP made 
4940 attempts to login to my box,
here is a few lines of logwatch.  Also, denyhosts did not "notice" 
this or do anything about it. 
65.208.188.105: 4940 times
  root/password: 85 times
robert/password: 60 times


This suggests that sshd is not paying attention to /etc/hosts.deny? 
But when I installed it, I tested it like so. With a ssh connection 
open (this is a remote machine,
I have no physical access), I put my own address into /etc/hosts.deny, 
and attempted another ssh
connection, which failed.  I then put my own IP into hosts.allow and 
removed it from hosts.deny
and now I can go back in. 
Any ideas?  TIA...





-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
------------------------------------------------------------------------

_______________________________________________
Denyhosts-user mailing list
Denyhosts-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/denyhosts-user
  

begin:vcard
fn:Kenneth  Downs
n:Downs;Kenneth 
adr;dom:;;347 Main Street;East Setauket;NY;11733
email;internet:[EMAIL PROTECTED]
tel;work:631-689-7200
tel;fax:631-689-0527
tel;cell:631-379-0010
x-mozilla-html:FALSE
url:http://www.secdat.com
version:2.1
end:vcard

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642_______________________________________________
Denyhosts-user mailing list
Denyhosts-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/denyhosts-user