Hi,
Is anyone else seeing problems with denyhosts not blocking some failed
logins? This popped up in last night's logwatch:
sshd:
Authentication Failures:
root (115.239.228.34): 408 Time(s)
root (62-210-180-195.rev.poneytelecom.eu): 311 Time(s)
root (62-210-82-91.rev.poneytelecom.eu): 303 Time(s)
root (62-210-83-108.rev.poneytelecom.eu): 203 Time(s)
root (62-210-142-105.rev.poneytelecom.eu): 198 Time(s)
root (62-210-82-152.rev.poneytelecom.eu): 41 Time(s)
root (61.174.50.149): 36 Time(s)
root (122.225.103.107): 28 Time(s)
root (61.174.50.188): 22 Time(s)
root (221.235.188.214): 9 Time(s)
unknown (184.107.41.52): 6 Time(s)
unknown (pluton.microtec.fr): 6 Time(s)
root (184.107.41.52): 5 Time(s)
unknown (200-158-64-81.dsl.telesp.net.br): 5 Time(s)
postgres (184.107.41.52): 1 Time(s)
root (200-158-64-81.dsl.telesp.net.br): 1 Time(s)
root (222.186.34.77): 1 Time(s)
Invalid Users:
Unknown Account: 22 Time(s)
In the past denyhosts would typically block an IP after less than 10
tries, so those entries with >100 are completely out of whack. I know
that denyhosts is still running because it blocked 6 IPs during the day
today.
I have changed my sshd_config to 'PermitRootLogin no' to workaround the
problem. This will likely be a permanent change, but I think it would
be worthwhile to understand why denyhosts is not working.
Yes, I know I could move sshd to a different port. I don't want to do that.
Yes, I know I could change my sshd_config to 'PasswordAuthentication
no'. I'm considering doing that.
galens@lion:~$ cat /etc/redhat-release
CentOS release 6.6 (Final)
galens@lion:~$ cat /proc/version
Linux version 2.6.32-504.el6.x86_64 ([email protected])
(gcc version 4.4.7 20120313 (Red Hat 4.4.7-11) (GCC) ) #1 SMP Wed Oct 15
04:27:16 UTC 2014
galens@lion:~$ rpm -q denyhosts
denyhosts-2.6-19.el6.1.noarch
thanks,
galen
--
Galen Seitz
[email protected]
_______________________________________________
PLUG mailing list
[email protected]
http://lists.pdxlinux.org/mailman/listinfo/plug
