Considering most of the logins are for invalid users, I'd suggest lowering the DENY_THRESHOLD_VALID value from the default (which is 10) to 5 or less. Also, assuming you're running in daemon mode you might want to have Denyhosts wakeup from it's nap sooner, the default DAEMON_SLEEP is 30s.
-- Regards, Phil Schwartz http://www.phil-schwartz.com Open Source Projects: DenyHosts: http://www.denyhosts.net Kodos: http://kodos.sourceforge.net ReleaseForge: http://releaseforge.sourceforge.net Scratchy: http://scratchy.sourceforge.net FAQtor: http://faqtor.sourceforge.net 'Like' DenyHosts on Facebook: http://www.facebook.com/pages/DenyHosts/58269629216 On Sun, 1 Jul 2012, Doug Niven wrote: > Hi Folks, > > I'm seeing the following type of attempts on my server, I.e. someone from the > same IP address/host trying various usernames until deny hosts finally locks > them out. > > Is there a minor tweak I should make to my denyhosts.cfg file that will cut > them off in future attempts? > > Denyhosts is working great, but I'd just like to harden it a little bit. > > Thanks! > > Doug > > Jul 1 10:29:13 example-test sshd[8863]: Accepted keyboard-interactive/pam > for sixpack from 63.249.85.38 port 41722 ssh2 > Jul 1 10:29:17 example-test sshd[8870]: Received disconnect from > 62.249.85.68: 11: disconnected by user > Jul 1 11:43:58 example-test sshd[9104]: Received disconnect from > 222.184.230.118: 11: Bye Bye > Jul 1 11:44:00 example-test sshd[9109]: Received disconnect from > 222.184.230.118: 11: Bye Bye > Jul 1 11:44:01 example-test sshd[9111]: Invalid user gamme from > 222.184.230.118 > Jul 1 11:44:01 example-test sshd[9112]: input_userauth_request: invalid user > gamme > Jul 1 11:44:01 example-test sshd[9112]: Received disconnect from > 222.184.230.118: 11: Bye Bye > Jul 1 11:44:02 example-test sshd[9117]: Received disconnect from > 222.184.230.118: 11: Bye Bye > Jul 1 11:44:04 example-test sshd[9120]: Received disconnect from > 222.184.230.118: 11: Bye Bye > Jul 1 11:44:05 example-test sshd[9123]: Received disconnect from > 222.184.230.118: 11: Bye Bye > Jul 1 11:44:06 example-test sshd[9125]: Invalid user exam from > 222.184.230.118 > Jul 1 11:44:06 example-test sshd[9126]: input_userauth_request: invalid user > exam > Jul 1 11:44:06 example-test sshd[9126]: Received disconnect from > 222.184.230.118: 11: Bye Bye > Jul 1 11:44:07 example-test sshd[9130]: Invalid user cri from 222.184.230.118 > Jul 1 11:44:07 example-test sshd[9131]: input_userauth_request: invalid user > cri > Jul 1 11:44:08 example-test sshd[9131]: Received disconnect from > 222.184.230.118: 11: Bye Bye > Jul 1 11:44:09 example-test sshd[9135]: Invalid user aa from 222.184.230.118 > Jul 1 11:44:09 example-test sshd[9136]: input_userauth_request: invalid user > aa > Jul 1 11:44:09 example-test sshd[9136]: Received disconnect from > 222.184.230.118: 11: Bye Bye > Jul 1 11:44:10 example-test sshd[9141]: Received disconnect from > 222.184.230.118: 11: Bye Bye > Jul 1 11:44:12 example-test sshd[9144]: Received disconnect from > 222.184.230.118: 11: Bye Bye > Jul 1 11:44:13 example-test sshd[9147]: Received disconnect from > 222.184.230.118: 11: Bye Bye > Jul 1 11:44:14 example-test sshd[9150]: Received disconnect from > 222.184.230.118: 11: Bye Bye > Jul 1 11:44:16 example-test sshd[9156]: Received disconnect from > 222.184.230.118: 11: Bye Bye > Jul 1 11:44:17 example-test sshd[9159]: Received disconnect from > 222.184.230.118: 11: Bye Bye > Jul 1 11:44:18 example-test sshd[9163]: Received disconnect from > 222.184.230.118: 11: Bye Bye > Jul 1 11:44:19 example-test sshd[9165]: Invalid user web from 222.184.230.118 > Jul 1 11:44:19 example-test sshd[9166]: input_userauth_request: invalid user > web > Jul 1 11:44:20 example-test sshd[9166]: Received disconnect from > 222.184.230.118: 11: Bye Bye > Jul 1 11:44:21 example-test sshd[9171]: Received disconnect from > 222.184.230.118: 11: Bye Bye > Jul 1 11:44:22 example-test sshd[9173]: Invalid user r00t from > 222.184.230.118 > Jul 1 11:44:22 example-test sshd[9174]: input_userauth_request: invalid user > r00t > Jul 1 11:44:22 example-test sshd[9174]: Received disconnect from > 222.184.230.118: 11: Bye Bye > Jul 1 11:44:24 example-test sshd[9179]: Received disconnect from > 222.184.230.118: 11: Bye Bye > Jul 1 11:44:25 example-test sshd[9182]: Received disconnect from > 222.184.230.118: 11: Bye Bye > > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > Denyhosts-user mailing list > Denyhosts-user@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/denyhosts-user > ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Denyhosts-user mailing list Denyhosts-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/denyhosts-user
