In addition to Whit's comments... Ddepending on your DAEMON_SLEEP setting, your log can be monitored more frequently. Remember, DH sleeps most of the time, when it awakes after each DAEMON_SLEEP (default: 30 seconds) it will check to see if your SECURE_LOG file has changed in size. If it hasn't changed, DH goes back to sleep. If there is a change, DH then parses the log from the last offset.
So, if a hacker is attempting access to your system at 12:00:00 and DH went to sleep at 11:59:59, then by default DH won't detect the attempts until 12:00:29... that is, the attacker has a 29 second window to gain access. If you lower your DAEMON_SLEEP to say 5 seconds, that would limit the attack window considerably. Regards, Phil On Sat, 21 Jul 2007, Whit Blauvelt wrote: > Look how close all those tries were. DenyHosts caught it after 8 seconds. If > they're coming in that fast, it can take long enough to block it that a few > come in past your threshold. > > If it's a real concern, you may have an option to limit the speed of new > connections from a single remote IP at your firewall (there are a couple of > ways to do that with netfilter/iptables). You could slow the attempts down > to a speed where catching them right at your DenyHosts threshold would be a > sure thing. > > Whit > > On Sat, Jul 21, 2007 at 03:11:44PM -0400, boricua wrote: >> these are my settings >> >> DENY_THRESHOLD_INVALID = 2 >> DENY_THRESHOLD_VALID = 4 >> DENY_THRESHOLD_ROOT = 1 >> DENY_THRESHOLD_RESTRICTED = 1 >> >> yet denyhost allowed 10 attempts before blocking ? >> at the most it should of blocked it after 4 tries? >> >> Jul 21 14:30:21 pepino sshd[1559]: Invalid user test from 141.28.131.133 >> Jul 21 14:30:21 pepino sshd[1559]: Failed password for invalid user test >> from 141.28.131.133 port 1573 ssh2 >> Jul 21 14:30:22 pepino sshd[1561]: Invalid user guest from 141.28.131.133 >> Jul 21 14:30:22 pepino sshd[1561]: Failed password for invalid user guest >> from 141.28.131.133 port 1643 ssh2 >> Jul 21 14:30:23 pepino sshd[1563]: Invalid user admin from 141.28.131.133 >> Jul 21 14:30:23 pepino sshd[1563]: Failed password for invalid user admin >> from 141.28.131.133 port 1703 ssh2 >> Jul 21 14:30:24 pepino sshd[1565]: Invalid user admin from 141.28.131.133 >> Jul 21 14:30:24 pepino sshd[1565]: Failed password for invalid user admin >> from 141.28.131.133 port 1758 ssh2 >> Jul 21 14:30:25 pepino sshd[1567]: Invalid user user from 141.28.131.133 >> Jul 21 14:30:25 pepino sshd[1567]: Failed password for invalid user user >> from 141.28.131.133 port 1804 ssh2 >> Jul 21 14:30:26 pepino sshd[1569]: User root from 141.28.131.133 not allowed >> because not listed in AllowUsers >> Jul 21 14:30:26 pepino sshd[1569]: Failed password for invalid user root >> from 141.28.131.133 port 1853 ssh2 >> Jul 21 14:30:27 pepino sshd[1571]: User root from 141.28.131.133 not allowed >> because not listed in AllowUsers >> Jul 21 14:30:27 pepino sshd[1571]: Failed password for invalid user root >> from 141.28.131.133 port 1892 ssh2 >> Jul 21 14:30:28 pepino sshd[1573]: User root from 141.28.131.133 not allowed >> because not listed in AllowUsers >> Jul 21 14:30:28 pepino sshd[1573]: Failed password for invalid user root >> from 141.28.131.133 port 1925 ssh2 >> Jul 21 14:30:29 pepino sshd[1575]: Invalid user test from 141.28.131.133 >> Jul 21 14:30:29 pepino sshd[1575]: Failed password for invalid user test >> from 141.28.131.133 port 1957 ssh2 >> Jul 21 14:30:44 pepino denyhosts: Added the following hosts to >> /etc/hosts.deny - 141.28.131.133 (unknown) > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. > Still grepping through log files to find problems? Stop. > Now Search log events and configuration files using AJAX and a browser. > Download your FREE copy of Splunk now >> http://get.splunk.com/ > _______________________________________________ > Denyhosts-user mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/denyhosts-user > ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ Denyhosts-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/denyhosts-user
