On Tue, Jan 20, 2009 at 3:33 PM, Paul Hartman <paul.hartman+gen...@gmail.com> wrote: > Hi, > > After setting up public key authentication i changed my sshd back to > port 22 and got the expected bombardment of connection attempts. > However, it doesn't seem to ever stop them. I'm using sshd with this > setting: > > MaxAuthTries 3 > > in my /etc/ssh/sshd_config [cut]
Okay, I have some possible new embarrassing information... as well as some new questions about access control. After combining all logs in chronological order, it appears denyhosts IS properly adding the new host to /etc/hosts.deny but it is simply not causing it to be denied... See this sample: Jan 22 18:42:58 [sshd] Invalid user staff from 59.185.104.218 Jan 22 18:43:01 [sshd] Invalid user sales from 59.185.104.218 Jan 22 18:43:03 [sshd] Invalid user recruit from 59.185.104.218 Jan 22 18:43:06 [denyhosts] Added the following hosts to /etc/hosts.deny - 59.185.104.218 (triband-mum-59.185.104.218.mtnl.net.in) Jan 22 18:43:06 [sshd] Invalid user alias from 59.185.104.218 Jan 22 18:43:09 [sshd] Invalid user office from 59.185.104.218 Jan 22 18:43:11 [sshd] Invalid user samba from 59.185.104.218 Jan 22 18:43:14 [sshd] Invalid user tomcat from 59.185.104.218 Jan 22 18:43:22 [sshd] Invalid user webadmin from 59.185.104.218 So now I am going back to what I should have looked at in the very beginning, my hosts.allow and hosts.deny rules. hosts.allow: sshd: ALL portmap: 127.0.0.1, 192.168.0.0/255.255.255.0 lockd: 127.0.0.1, 192.168.0.0/255.255.255.0 rquotad: 127.0.0.1, 192.168.0.0/255.255.255.0 mountd: 127.0.0.1, 192.168.0.0/255.255.255.0 statd: 127.0.0.1, 192.168.0.0/255.255.255.0 ALL: 127.0.0.1, 192.168.0.0/255.255.255.0 hosts.deny: ALL: ALL sshd: 58.213.125.25 sshd: 75.37.250.107 sshd: 147.83.29.83 sshd: 59.185.104.218 sshd: 210.40.128.31 (and so on) >From the manpage: ACCESS CONTROL FILES The access control software consults two files. The search stops at the first match: - Access will be granted when a (daemon,client) pair matches an entry in the /etc/hosts.allow file. - Otherwise, access will be denied when a (daemon,client) pair matches an entry in the /etc/hosts.deny file. - Otherwise, access will be granted. doh! So, basically, when it sees sshd: ALL in hosts.allow, it stops and allows access to everyone. It never even gets around to checking the hosts.deny file. The fact that the login attempts stopped after about an hour must have been purely coincidence. My intended purpose for those entires was to allow all sshd unless they are in the deny file, but I also want to deny everything else that doesn't have an explicit allow/deny rule. I don't think this is possible using hosts.allow/hosts.deny unless I enumerate every service. The deny ALL: ALL will deny me access to sshd. I essentially want it to work the other way around. Deny access by default unless there is an allow rule. I don't think I can do that, though. If I put ALL: ALL or sshd: ALL in the hosts.deny file, it will deny ME access to my own machine. I don't want that. Since I don't have a specific IP i will connect from, I can't allow any specific IP (or else I'd be doing it that way already). How can I accomplish this?: Allow all ssh connections unless they are in hosts.deny Deny all other connections unless they are in hosts.allow Thanks and sorry for the misdirection :) Paul