John Ciesla wrote: > I recently installed Denyhosts on my server and it seems to be working well; > I can see it watching for invalid login attempts and then blocking them > after they reach the threshold. However, when I look through the logs I will > occasionally see something like this: [snip] > Obviously, there are far more attempts here than there should be; my > threshold values are set to only allow 3 attempts at the maximum. Here is > the output of the Denyhosts log after a restart: [snip] > 2008-10-02 08:07:12,553 - prefs : INFO RESET_ON_SUCCESS: [no]
Do you really want that? Absolutely no errors allowed, they accumulate for the next login on a valid login and eventually trap a real user. > 2008-10-02 08:07:12,563 - denyhosts : INFO daemon_sleep: 10 > Any idea why sometimes the hacker gets many more attempts than they should? The daemon checks every 10 seconds, the intruder can try as many times as he can inside that cycle... and as long as he hasn't reached the threshold he can keep trying (span more than one cycle), plus the small time it takes to actually add the IP and for sshd to read it, the real time is longer than 10 s. The answer in practice is the intruder will always be able to try more than 'threshold' times, the threshold is a soft limit, not a hard one. -- René Berber ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Denyhosts-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/denyhosts-user
