I see continuous attempts to bruteforce my server, but denyhosts only
blocks a few hosts each day, and I can't understand why.
Here is a snip from /var/log/secure showing one attempt. This was
immediately followed by 12 more attempts within one minute, identical
except for the port number. Even though DENY_THRESHOLD_ROOT = 1, still this
host was never added to hosts.deny
Apr 22 14:50:59 ===== sshd[28283]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.21.198
user=root
Apr 22 14:51:01 ===== sshd[28283]: Failed password for root from
222.186.21.198 port 43316 ssh2
Apr 22 14:51:02 ===== unix_chkpwd[28291]: password check failed for user
(root)
Apr 22 14:51:04 ===== sshd[28283]: Failed password for root from
222.186.21.198 port 43316 ssh2
Apr 22 14:51:04 ===== unix_chkpwd[28293]: password check failed for user
(root)
Apr 22 14:51:06 ===== sshd[28283]: Failed password for root from
222.186.21.198 port 43316 ssh2
Apr 22 14:51:06 ===== sshd[28284]: Received disconnect from 222.186.21.198:
11:
/var/log/denyhost (set to debug) for the same time period shows that,
although the log is being checked, it doesn't block the host.
2015-04-22 14:50:59,175 - denyhosts : DEBUG new hosts: []
2015-04-22 14:50:59,176 - denyhosts : DEBUG no new denied hosts
2015-04-22 14:50:59,176 - denyhosts : DEBUG no new suspicious logins
2015-04-22 14:51:29,214 - denyhosts : DEBUG /var/log/secure has
additional data
2015-04-22 14:51:29,393 - denyhosts : DEBUG new hosts: []
2015-04-22 14:51:29,393 - denyhosts : DEBUG no new denied hosts
2015-04-22 14:51:29,393 - denyhosts : DEBUG no new suspicious logins
2015-04-22 14:51:59,429 - denyfileutil: DEBUG relative cutoff: 31449600
(seconds)
2015-04-22 14:51:59,430 - denyfileutil: DEBUG absolute cutoff:
1398279119 (epoch)
2015-04-22 14:51:59,430 - denyfileutil: INFO purging entries older
than: Wed Apr 23 14:51:59 2014
2015-04-22 14:51:59,463 - denyfileutil: INFO num entries purged: 0
2015-04-22 14:51:59,463 - denyhosts : DEBUG /var/log/secure has
additional data
2015-04-22 14:51:59,628 - denyhosts : DEBUG new hosts: []
2015-04-22 14:51:59,628 - denyhosts : DEBUG no new denied hosts
2015-04-22 14:51:59,628 - denyhosts : DEBUG no new suspicious logins
2015-04-22 14:52:29,660 - denyhosts : DEBUG /var/log/secure has
additional data
2015-04-22 14:52:29,839 - denyhosts : DEBUG new hosts: []
2015-04-22 14:52:29,839 - denyhosts : DEBUG no new denied hosts
2015-04-22 14:52:29,839 - denyhosts : DEBUG no new suspicious logins
Config settings are default, except as noted:
/etc/denyhosts.conf
SECURE_LOG = /var/log/secure
HOSTS_DENY = /etc/hosts.deny
PURGE_DENY = 52w # changed from
default
BLOCK_SERVICE = sshd
DENY_THRESHOLD_INVALID = 3 # changed from default
DENY_THRESHOLD_VALID = 5 # changed from default
DENY_THRESHOLD_ROOT = 1
DENY_THRESHOLD_RESTRICTED = 1
WORK_DIR = /var/lib/denyhosts
SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES
HOSTNAME_LOOKUP=YES
LOCK_FILE = /var/lock/subsys/denyhosts
SMTP_HOST = localhost
SMTP_PORT = 25
SMTP_FROM = DenyHosts <nobody@localhost>
SMTP_SUBJECT = DenyHosts Report from ===== $[HOSTNAME]
AGE_RESET_VALID=5d
AGE_RESET_ROOT=25d
AGE_RESET_RESTRICTED=25d
AGE_RESET_INVALID=10d
DAEMON_LOG = /var/log/denyhosts
DAEMON_SLEEP = 30s
DAEMON_PURGE = 1h
Denyhosts is working at least sometimes because it does block a few hosts
each day. And I do see “refused connect from” messages for other IPs in
/var/log/secure. I can't understand why it doesn't block attempts as
aggressive as these. Any good ideas appreciated.
Thanks….
------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Denyhosts-user mailing list
Denyhosts-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/denyhosts-user
