Jeff Berman wrote: > I just installed DenyHosts and have been running it for a couple days > now. It's working great! > > The configuration I'm using may be considered lax by some of you, but > it's the only way I could find to get DenyHosts to work the way I'd > like. I'd welcome any comments or suggestions from you experts. > > In the event that I'm on the road and want to connect to my computer, > I don't want to accidentally lock myself out for the duration of the > trip. And because each hotel will have its own IP address, it would > be difficult to whitelist them. Thus, the configuration is such: > > PURGE_DENY = 10m > PURGE_THRESHOLD = 0 > DENY_THRESHOLD_INVALID = 4 > DENY_THRESHOLD_VALID = 4 > DENY_THRESHOLD_ROOT = 1 > DENY_THRESHOLD_RESTRICTED = 1 > AGE_RESET_VALID = 5m > AGE_RESET_ROOT = 25d > AGE_RESET_INVALID = 10d > RESET_ON_SUCCESS = yes > DAEMON_SLEEP = 30s > DAEMON_PURGE = 10m > > So basically, if an attacker (or my fumbling fingers) gets blocked, > it will only be for 10 minutes. What do you think about this? Maybe > I'm not paranoid or security conscious enough, but it seems like > attackers usually give up and move onto the next IP as soon as > they're denied. Is this line of thinking naive?
Interesting... First: there are better ways to accomplish what you want, much better, for instance using password-less login (also known as using your public key), chances of being locked out from an error are zero, you don't enter the password at all, the only mistake you could make is typing your user name and that will fall into invalid users, so it doesn't count. Another way is to whitelist your user from any IP. That's just regular sshd configuration, and there's a non-zero probability that an attacker will use your username (if he can guess it or just by chance). Side note: your current configuration doesn't really block for 10 minutes, it may block for up to 19.99 minutes; i.e. DH is a periodic event, checks every 30 sec and 10 min, an attacker might start at any time but let's say he gets detected at the start of the 10 min, gets blocked for say 9:30, DH checks what to purge and keeps him blocked for another 10 minues. In average (formal statistics) every entry will be blocked 1.5 times the purge period, with a minumum of 10 m and maximum of 10.999... Beware of unexpected results. Another situation, if you use DH's sync server, your error gets you blocked for 10 - 20 minutes, but if your IP also happens to get sent to the sync server, even after purge it can come back, so you'll end up blocked for intermittent periods and a long time overall. Your configuration is fine by the way. Your comment about attackers just moving on is an assumption you can't make. If you see the logs, you are right about your description, but most, if not all, of the known (in a DH sync server point of view) would be attackers are using the same software and it always tries twice; a few try with broken software and try again and again (yesterday a dumb one sent html to my mail server, searching for open proxies). But that's not important, making unnecessary assumptions is a bad idea, that's the important point. -- René Berber ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don't miss this year's exciting event. There's still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone _______________________________________________ Denyhosts-user mailing list Denyhosts-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/denyhosts-user
