Date: Sun, 17 Jun 2007 22:24:47 -0800 From: Beech Rintoul <beech@freebsd.org> To: freebsd-questions@freebsd.org Cc: Zbigniew Szalbot <zbyszek@szalbot.homedns.org> Subject: Re: denyhosts and the threshold level Message-ID: <200706172224.51761.beech@freebsd.org> In-Reply-To: <46761D5B.1000406@szalbot.homedns.org> References: <46761D5B.1000406@szalbot.homedns.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sunday 17 June 2007, Zbigniew Szalbot said: > Hello, > > I have denyhosts set with the following options: > > DENY_THRESHOLD_INVALID = 3 > DENY_THRESHOLD_VALID = 3 > > In my understanding this should block all ssh login attempts from a > host which fails to provide correct login credentials 3 times (no > matter if the user actually exists or not at my system). This > appears to work. But I have a question. When I look at the log I > can see something like that: > > Failed password for root from 218.9.127.236 port 46472 ssh2 Jun 17 > 19:55:38 lists sshd[8048]: > Failed password for root from 218.9.127.236 port 46631 ssh2 Jun 17 > 19:55:42 lists sshd[8052]: > Failed password for root from 218.9.127.236 port 46786 ssh2 Jun 17 > 19:55:45 lists sshd[8057]: > Failed password for root from 218.9.127.236 port 46952 ssh2 Jun 17 > 19:55:49 lists sshd[8069]: > Failed password for root from 218.9.127.236 port 47106 ssh2 Jun 17 > 19:55:53 lists sshd[8071]: > Failed password for root from 218.9.127.236 port 47261 ssh2 Jun 17 > 19:55:56 lists sshd[8075]: > Failed password for root from 218.9.127.236 port 47414 ssh2 Jun 17 > 19:56:00 lists sshd[8079]: > Failed password for root from 218.9.127.236 port 47566 ssh2 Jun 17 > 19:56:03 lists sshd[8081]: > > How can I determine whether the user has actually been cut off > after 3 attempts? Or does the above mean that the user was not > blocked? > > Many thanks for your advice! > > Warm regards from Poland. > > Zbigniew Szalbot I use denyhosts on a couple of my servers. Those login scripts try many a second. It takes denyhosts a bit of time to catch it. As for them being blocked root should be receiving mail telling you what IP was blocked. What I see above looks about normal for the app. Beech -- --------------------------------------------------------------------------------------- Beech Rintoul - FreeBSD Developer - beech@FreeBSD.org /"\ ASCII Ribbon Campaign | FreeBSD Since 4.x \ / - NO HTML/RTF in e-mail | http://www.freebsd.org X - NO Word docs in e-mail | Latest Release: / \ - http://www.FreeBSD.org/releases/6.2R/announce.html ---------------------------------------------------------------------------------------
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200706172224.51761.beech>