Not necessarily... The regex'es that DH uses by default shouldn't match most of those. Check your /var/log/denyhosts for entries around those times to see if it actually blocked someone.
Regards, Phil On Mon, 21 Jan 2008, David Burns wrote: > Looking at the log around the time when I got my recent denyhosts > report and what's in /var/log/secure, I think this is what peeved > denyhosts: > > Jan 17 14:10:29 n32 sshd[5639]: Accepted publickey for root from > 192.168.1.254 port 46254 ssh2 > Jan 17 14:12:35 ahui sshd[29625]: Read error from remote host 1<ip > address>56.85: Connection timed out > Jan 17 14:12:41 ahui sshd[25080]: Connection from 1<ip>6 port 60037 > Jan 17 14:12:41 ahui sshd[25080]: Connection closed by 12<ip> > Jan 17 14:15:01 ahui sshd[25131]: Connection from 12ip.26 port 55104 > > My working hypothesis right now is that this means that whenever > someone logs in to my host and then leaves the connection idle for a > while, the host times out the connection and writes a log entry about > it, and denyhosts sees the log entry and puts the offending host on > the black list. Is there a way for me to tell denyhosts to ignore the > 'read error' log entry? I guess I could also attack it by trying to > prevent anyone from ever getting timed out, whic h would actually make > more sense. I guess I need to RTFM and figure out what is timing out > and try to fix it. > > thanks, > Dave > > > On Jan 17, 2008 2:44 PM, Phil Schwartz > <[EMAIL PROTECTED]> wrote: >> >> >> First thing you should do Dave is to run DH in --debug mode: >> >> /etc/init.d/denyhosts restart --debug >> >> then: >> >> tail -f /var/log/denyhosts >> >> Observe the output of when people attempt to login via ssh. That should >> offer clues to what DH is (or isn't) doing. >> >> Also, at the bottom of the DH homepage there is a section: "Need Help?" >> which details the info I would need in order to troubleshoot the regex'es. >> >> Regards, >> >> Phil >> >> >> >> >> On Thu, 17 Jan 2008, David Burns wrote: >> >>> I suspect that my log is in an unusual format. What sort of steps >>> should I take to troubleshoot? Is there a doc somewhere I've >>> overlooked that explains what denyhosts looks for in the logs, and >>> what it ignores, and how to make it more verbose, etc.? Symptom seems >>> to be that it eventually denies everyone. I've white-listed our local >>> machines, but whenever someone tries to ssh in from outside our local >>> net there is trouble. >>> Thanks, >>> Dave >>> >>> On Jan 9, 2008 12:57 PM, Phil Schwartz >>> <[EMAIL PROTECTED]> wrote: >>>> >>>> Check the files in your DH WORK_DIR (grep them) for one of the subnodes. >>>> The number after the : indicates the number of hack attempts DH detected. >>>> If this number seems incorrect, check your SECURE_LOG for that IP address >>>> to determine if they were legit or not. If DH incorrectly identified them >>>> as attacks then your SECURE_LOG is likely in an unusual format. >>>> >>>> You may also want to stop DH, remove the IP address(es) from the WORK_DIR >>>> files, and the IP's to WORK_DIR/allowed-hosts and restart DH. >>>> >>>> Regards, >>>> >>>> Phil >>>> >>>> >>>> On Wed, 9 Jan 2008, David Burns wrote: >>>> >>>>> I have a cluster master node running denyhosts (Thanks!), but I am >>>>> confused because some of the subnodes get denied. I've put them into >>>>> /etc/hosts.allow, so they don't actually lose access, but I do still >>>>> get reports about them. Is there some documentation somewhere that >>>>> would explain what to look for to find out what these nodes are doing >>>>> that sets off denyhosts? I am pretty sure that there are no hackers >>>>> with access to the subnodes trying to hack the master node - they're >>>>> wired such that the only way to get to the nodes is through the >>>>> master! >>>>> Thanks in advance, >>>>> Dave >>>>> >>>>> ------------------------------------------------------------------------- >>>>> Check out the new SourceForge.net Marketplace. >>>>> It's the best place to buy or sell services for >>>>> just about anything Open Source. >>>>> http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace >>>>> _______________________________________________ >>>>> Denyhosts-user mailing list >>>>> [email protected] >>>>> https://lists.sourceforge.net/lists/listinfo/denyhosts-user >>>>> >>>> >>>> -- >>>> Regards, >>>> >>>> Phil Schwartz >>>> - http://www.phil-schwartz.com >>>> >>>> Open Source Projects: >>>> - DenyHosts: http://www.denyhosts.net >>>> - Kodos: http://kodos.sourceforge.net >>>> - ReleaseForge: http://releaseforge.sourceforge.net >>>> - Scratchy: http://scratchy.sourceforge.net >>>> - FAQtor: http://faqtor.sourceforge.net >>>> >>> >>> ------------------------------------------------------------------------- >>> This SF.net email is sponsored by: Microsoft >>> Defy all challenges. Microsoft(R) Visual Studio 2008. >>> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ >> >>> _______________________________________________ >>> Denyhosts-user mailing list >>> [email protected] >>> https://lists.sourceforge.net/lists/listinfo/denyhosts-user >>> >> >> -- >> Regards, >> >> Phil Schwartz >> - http://www.phil-schwartz.com >> >> Open Source Projects: >> - DenyHosts: http://www.denyhosts.net >> - Kodos: http://kodos.sourceforge.net >> - ReleaseForge: http://releaseforge.sourceforge.net >> - Scratchy: http://scratchy.sourceforge.net >> - FAQtor: http://faqtor.sourceforge.net >> > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2008. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > _______________________________________________ > Denyhosts-user mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/denyhosts-user > -- Regards, Phil Schwartz - http://www.phil-schwartz.com Open Source Projects: - DenyHosts: http://www.denyhosts.net - Kodos: http://kodos.sourceforge.net - ReleaseForge: http://releaseforge.sourceforge.net - Scratchy: http://scratchy.sourceforge.net - FAQtor: http://faqtor.sourceforge.net ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Denyhosts-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/denyhosts-user
