From owner-freebsd-questions@FreeBSD.ORG Mon Jun 18 05:52:23 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 28DA016A400 for ; Mon, 18 Jun 2007 05:52:23 +0000 (UTC) (envelope-from zbyszek@szalbot.homedns.org) Received: from lists.lc-words.com (lists.lc-words.com [83.19.156.210]) by mx1.freebsd.org (Postfix) with ESMTP id D876B13C448 for ; Mon, 18 Jun 2007 05:52:22 +0000 (UTC) (envelope-from zbyszek@szalbot.homedns.org) Received: from [192.168.16.1] (helo=[192.168.11.11]) by lists.lc-words.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.67 (FreeBSD)) (envelope-from ) id 1I0AAF-000JQi-Ju for freebsd-questions@freebsd.org; Mon, 18 Jun 2007 07:52:35 +0200 Message-ID: <46761D5B.1000406@szalbot.homedns.org> Date: Mon, 18 Jun 2007 07:51:23 +0200 From: Zbigniew Szalbot User-Agent: Thunderbird 2.0.0.4 (Windows/20070604) MIME-Version: 1.0 To: freebsd-questions@freebsd.org Content-Type: text/plain; charset=ISO-8859-2; format=flowed Content-Transfer-Encoding: 7bit X-Feedback: 1I0AAF-000JQi-Ju Subject: denyhosts and the threshold level X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Jun 2007 05:52:23 -0000 Hello, I have denyhosts set with the following options: DENY_THRESHOLD_INVALID = 3 DENY_THRESHOLD_VALID = 3 In my understanding this should block all ssh login attempts from a host which fails to provide correct login credentials 3 times (no matter if the user actually exists or not at my system). This appears to work. But I have a question. When I look at the log I can see something like that: Failed password for root from 218.9.127.236 port 46472 ssh2 Jun 17 19:55:38 lists sshd[8048]: Failed password for root from 218.9.127.236 port 46631 ssh2 Jun 17 19:55:42 lists sshd[8052]: Failed password for root from 218.9.127.236 port 46786 ssh2 Jun 17 19:55:45 lists sshd[8057]: Failed password for root from 218.9.127.236 port 46952 ssh2 Jun 17 19:55:49 lists sshd[8069]: Failed password for root from 218.9.127.236 port 47106 ssh2 Jun 17 19:55:53 lists sshd[8071]: Failed password for root from 218.9.127.236 port 47261 ssh2 Jun 17 19:55:56 lists sshd[8075]: Failed password for root from 218.9.127.236 port 47414 ssh2 Jun 17 19:56:00 lists sshd[8079]: Failed password for root from 218.9.127.236 port 47566 ssh2 Jun 17 19:56:03 lists sshd[8081]: How can I determine whether the user has actually been cut off after 3 attempts? Or does the above mean that the user was not blocked? Many thanks for your advice! Warm regards from Poland. Zbigniew Szalbot