FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Gentoo > Gentoo User

 
 
LinkBack Thread Tools
 
Old 01-20-2009, 08:33 PM
Paul Hartman
 
Default Why isn't sshd blocking repeated failed login attempts?

Hi,

After setting up public key authentication i changed my sshd back to
port 22 and got the expected bombardment of connection attempts.
However, it doesn't seem to ever stop them. I'm using sshd with this
setting:

MaxAuthTries 3

in my /etc/ssh/sshd_config

So, why does it allow unlimited failed login attempts? For example, as
I write this I'm seeing this in my logs:

Jan 20 14:54:38 [sshd] Invalid user ejin from 72.70.42.36
Jan 20 14:54:39 [sshd] Invalid user core from 72.70.42.36
Jan 20 14:54:40 [sshd] Invalid user master from 72.70.42.36
Jan 20 14:54:41 [sshd] Invalid user tony from 72.70.42.36
- Last output repeated 2 times -
Jan 20 14:54:50 [sshd] Invalid user apache from 72.70.42.36
Jan 20 14:54:52 [sshd] Invalid user web0 from 72.70.42.36
- Last output repeated 4 times -
Jan 20 14:55:03 [sshd] Invalid user web1 from 72.70.42.36
- Last output repeated 3 times -
Jan 20 14:55:13 [sshd] Invalid user web2 from 72.70.42.36
- Last output repeated 3 times -
Jan 20 14:55:17 [sshd] Invalid user web3 from 72.70.42.36
- Last output repeated 3 times -
Jan 20 14:55:27 [sshd] Invalid user web4 from 72.70.42.36
- Last output repeated 2 times -
Jan 20 14:55:35 [sshd] Invalid user web5 from 72.70.42.36
- Last output repeated 4 times -
Jan 20 14:55:49 [sshd] Invalid user web6 from 72.70.42.36
- Last output repeated 3 times -
Jan 20 14:55:53 [sshd] Invalid user web7 from 72.70.42.36
- Last output repeated 5 times -
Jan 20 14:56:10 [sshd] Invalid user web0 from 72.70.42.36
- Last output repeated 8 times -
Jan 20 14:56:25 [sshd] Invalid user test from 72.70.42.36
- Last output repeated 25 times -
Jan 20 14:57:15 [sshd] Invalid user test1 from 72.70.42.36
- Last output repeated 12 times -
Jan 20 14:57:40 [sshd] Invalid user test123 from 72.70.42.36
- Last output repeated 12 times -
Jan 20 14:58:06 [sshd] Invalid user tester from 72.70.42.36
- Last output repeated 14 times -
Jan 20 14:58:34 [sshd] Invalid user testing from 72.70.42.36
- Last output repeated 17 times -
Jan 20 14:59:09 [sshd] Invalid user test2 from 72.70.42.36
- Last output repeated 10 times -
Jan 20 14:59:33 [sshd] Invalid user administrator from 72.70.42.36
- Last output repeated 14 times -
Jan 20 15:00:00 [sshd] Invalid user postfix from 72.70.42.36
- Last output repeated 10 times -
Jan 20 15:00:23 [sshd] Invalid user guest from 72.70.42.36
- Last output repeated 14 times -
Jan 20 15:00:53 [sshd] Invalid user linux from 72.70.42.36
- Last output repeated 14 times -
Jan 20 15:01:25 [sshd] Invalid user service from 72.70.42.36
- Last output repeated 14 times -
Jan 20 15:01:52 [sshd] Invalid user connie from 72.70.42.36
- Last output repeated 15 times -
Jan 20 15:02:25 [sshd] Invalid user user from 72.70.42.36
- Last output repeated 15 times -
Jan 20 15:02:54 [sshd] Invalid user user1 from 72.70.42.36
- Last output repeated 16 times -
Jan 20 15:03:28 [sshd] Invalid user user123 from 72.70.42.36
- Last output repeated 10 times -
Jan 20 15:03:50 [sshd] Invalid user www from 72.70.42.36
- Last output repeated 20 times -
Jan 20 15:04:29 [sshd] User ftp not allowed because account is locked
- Last output repeated 19 times -
Jan 20 15:05:13 [sshd] Invalid user ftpuser from 72.70.42.36
- Last output repeated 17 times -
Jan 20 15:05:49 [sshd] Invalid user oracle from 72.70.42.36
- Last output repeated 24 times -
Jan 20 15:06:37 [sshd] Invalid user nagios from 72.70.42.36
- Last output repeated 25 times -
Jan 20 15:07:27 [sshd] Invalid user asterisk from 72.70.42.36
- Last output repeated 15 times -
Jan 20 15:07:56 [sshd] Invalid user office from 72.70.42.36
- Last output repeated 14 times -
Jan 20 15:08:28 [sshd] Invalid user center from 72.70.42.36
- Last output repeated 12 times -
Jan 20 15:08:56 [sshd] Invalid user fax from 72.70.42.36
- Last output repeated 13 times -
Jan 20 15:09:22 [sshd] Invalid user abc from 72.70.42.36
- Last output repeated 10 times -
Jan 20 15:09:47 [sshd] Invalid user public from 72.70.42.36
- Last output repeated 13 times -
Jan 20 15:10:19 [sshd] Invalid user postgres from 72.70.42.36
- Last output repeated 24 times -
Jan 20 15:11:08 [sshd] Invalid user info from 72.70.42.36
- Last output repeated 23 times -
Jan 20 15:11:56 [sshd] Invalid user scan from 72.70.42.36
- Last output repeated 7 times -
Jan 20 15:12:11 [sshd] Invalid user scanner from 72.70.42.36
- Last output repeated 20 times -
Jan 20 15:12:55 [sshd] Invalid user upload from 72.70.42.36
- Last output repeated 16 times -
Jan 20 15:13:29 [sshd] Invalid user demo from 72.70.42.36
- Last output repeated 13 times -
Jan 20 15:14:00 [sshd] Invalid user video from 72.70.42.36
- Last output repeated 11 times -
Jan 20 15:14:24 [sshd] Invalid user support from 72.70.42.36
- Last output repeated 11 times -
Jan 20 15:14:48 [sshd] Invalid user nita from 72.70.42.36
- Last output repeated 14 times -
Jan 20 15:15:15 [sshd] Invalid user jobs from 72.70.42.36
- Last output repeated 15 times -
Jan 20 15:15:48 [sshd] Invalid user web from 72.70.42.36
- Last output repeated 15 times -
Jan 20 15:16:21 [sshd] User mysql not allowed because account is locked
- Last output repeated 12 times -
Jan 20 15:16:46 [sshd] User mail not allowed because account is locked
- Last output repeated 12 times -
Jan 20 15:17:14 [sshd] Invalid user arun from 72.70.42.36
- Last output repeated 15 times -
Jan 20 15:17:43 [sshd] Invalid user admin from 72.70.42.36
- Last output repeated 13 times -
Jan 20 15:18:14 [sshd] Invalid user admin2 from 72.70.42.36
- Last output repeated 11 times -
Jan 20 15:18:37 [sshd] Invalid user admin1 from 72.70.42.36
- Last output repeated 9 times -
Jan 20 15:18:54 [sshd] User clamav not allowed because account is locked
- Last output repeated 14 times -
Jan 20 15:19:24 [sshd] Invalid user allan from 72.70.42.36
- Last output repeated 12 times -
Jan 20 15:19:49 [sshd] Invalid user anurag from 72.70.42.36
- Last output repeated 10 times -
Jan 20 15:20:12 [sshd] Invalid user ramesh from 72.70.42.36
- Last output repeated 12 times -
Jan 20 15:20:38 [sshd] User nobody not allowed because account is locked
- Last output repeated 11 times -
Jan 20 15:21:02 [sshd] Invalid user dinesh from 72.70.42.36
- Last output repeated 12 times -
Jan 20 15:21:30 [sshd] Invalid user benny from 72.70.42.36
- Last output repeated 10 times -
Jan 20 15:21:54 [sshd] Invalid user emerson from 72.70.42.36
- Last output repeated 10 times -
Jan 20 15:22:16 [sshd] Invalid user press from 72.70.42.36
- Last output repeated 12 times -
Jan 20 15:22:41 [sshd] Invalid user hera from 72.70.42.36
- Last output repeated 12 times -
Jan 20 15:23:11 [sshd] Invalid user julie from 72.70.42.36
- Last output repeated 12 times -
Jan 20 15:23:37 [sshd] Invalid user lee from 72.70.42.36
- Last output repeated 12 times -
Jan 20 15:24:02 [sshd] Invalid user deborah from 72.70.42.36
- Last output repeated 9 times -
Jan 20 15:24:24 [sshd] Invalid user xyz from 72.70.42.36
- Last output repeated 6 times -
Jan 20 15:24:37 [sshd] Invalid user abc from 72.70.42.36
- Last output repeated 7 times -
Jan 20 15:24:51 [sshd] Invalid user aa from 72.70.42.36
- Last output repeated 3 times -
Jan 20 15:25:01 [sshd] Invalid user bb from 72.70.42.36
- Last output repeated 3 times -
Jan 20 15:25:10 [sshd] Invalid user cc from 72.70.42.36
- Last output repeated 3 times -
Jan 20 15:25:15 [sshd] Invalid user dd from 72.70.42.36
- Last output repeated 3 times -
Jan 20 15:25:25 [sshd] Invalid user ee from 72.70.42.36
- Last output repeated 3 times -
Jan 20 15:25:35 [sshd] Invalid user ff from 72.70.42.36
- Last output repeated 3 times -
Jan 20 15:25:39 [sshd] Invalid user gg from 72.70.42.36
- Last output repeated 3 times -
Jan 20 15:25:49 [sshd] Invalid user hh from 72.70.42.36
- Last output repeated 3 times -
Jan 20 15:25:59 [sshd] Invalid user ii from 72.70.42.36
- Last output repeated 3 times -
Jan 20 15:26:03 [sshd] Invalid user jj from 72.70.42.36
- Last output repeated 3 times -
Jan 20 15:26:13 [sshd] Invalid user kk from 72.70.42.36
- Last output repeated 3 times -
Jan 20 15:26:22 [sshd] Invalid user ll from 72.70.42.36
- Last output repeated 2 times -
Jan 20 15:26:26 [sshd] Invalid user mm from 72.70.42.36
- Last output repeated 3 times -
Jan 20 15:26:35 [sshd] Invalid user nn from 72.70.42.36
- Last output repeated 3 times -
Jan 20 15:26:40 [sshd] Invalid user oo from 72.70.42.36
- Last output repeated 3 times -
Jan 20 15:26:50 [sshd] Invalid user pp from 72.70.42.36
- Last output repeated 3 times -
Jan 20 15:27:00 [sshd] Invalid user qq from 72.70.42.36
- Last output repeated 2 times -

I'm using denyhosts but it seems that it doesn't deny anyone until an
hour has passed, despite the fact I'm using the daemon which
constantly monitors the log file... by which time hundreds or
thousands of attempts can be made. Maybe that's a configuration issue
on my denyhosts setup, but shouldn't sshd be blocking them in the
first place?

Thanks,
Paul
 
Old 01-20-2009, 08:47 PM
Etaoin Shrdlu
 
Default Why isn't sshd blocking repeated failed login attempts?

On Tuesday 20 January 2009, 22:33, Paul Hartman wrote:
> Hi,
>
> After setting up public key authentication i changed my sshd back to
> port 22 and got the expected bombardment of connection attempts.
> However, it doesn't seem to ever stop them. I'm using sshd with this
> setting:
>
> MaxAuthTries 3
>
> in my /etc/ssh/sshd_config
>
> So, why does it allow unlimited failed login attempts? For example, as
> I write this I'm seeing this in my logs:
>
> Jan 20 14:54:38 [sshd] Invalid user ejin from 72.70.42.36
> Jan 20 14:54:39 [sshd] Invalid user core from 72.70.42.36
> [cut]

What MaxAuthTries does is just start logging the failed attempts when
they reach ( value / 2 ).

MaxAuthTries
Specifies the maximum number of authentication attempts
permitted per connection. Once the number of failures
reaches half this value, additional failures are logged.
The default is 6.
 
Old 01-20-2009, 08:49 PM
"Joshua Murphy"
 
Default Why isn't sshd blocking repeated failed login attempts?

On Tue, Jan 20, 2009 at 4:33 PM, Paul Hartman
<paul.hartman+gentoo@gmail.com> wrote:
> Hi,
>
> After setting up public key authentication i changed my sshd back to
> port 22 and got the expected bombardment of connection attempts.
> However, it doesn't seem to ever stop them. I'm using sshd with this
> setting:
>
> MaxAuthTries 3
>
> in my /etc/ssh/sshd_config
>
> So, why does it allow unlimited failed login attempts? For example, as
> I write this I'm seeing this in my logs:
>
<snip>
>
> I'm using denyhosts but it seems that it doesn't deny anyone until an
> hour has passed, despite the fact I'm using the daemon which
> constantly monitors the log file... by which time hundreds or
> thousands of attempts can be made. Maybe that's a configuration issue
> on my denyhosts setup, but shouldn't sshd be blocking them in the
> first place?
>
> Thanks,
> Paul

I'm pretty sure MaxAuthTries 3 does nothing more than disconnect you
after 3 failed connections (meaning all you have to do is reconnect to
keep trying)... it doesn't do any sort of 'intelligent' protection of
the system. DenyHosts worked great for me while I used it, but I also
found that a firewall rule limiting connection attempts to 3 per
source IP per 10 minute period put a big dent in the number of tries
that denyhosts ever even had to see (though they were always enough to
get that source blacklisted, I had things set rather restrictive).
Something I was pointed towards on IRC, in the event that the SSH
server you're running is primarily for your use or the use of
knowledgeable users (fellow admins)... look up Single Packet
Authorization (SPA).

--
Poison [BLX]
Joshua M. Murphy
 
Old 01-21-2009, 11:36 AM
Nikos Chantziaras
 
Default Why isn't sshd blocking repeated failed login attempts?

Paul Hartman wrote:

I'm using the online denyhosts synchronization database, I think that
may negatively affect how often it blocks hosts locally, because it
waits until it does a remote sync to scan the local file. This is my
theory. I like the idea of sharing my blocks and taking advantage of
the blocks of others, but if it renders the program ineffective
against the IP /actively/ attacking my system, then it's pointless.

I'm going to turn off the online sharing of denyhosts and see if it
makes a difference.

Otherwise I guess I need to set up some kind of local firewall on this
machine to get any more fine control over the connections.


The shared list of attackers doesn't have anything to do with it.
Denyhosts checks the logs every X seconds. I think 30 by default, not
sure. In that time, there can be many more attempted logins then the
maximum you have configured in Denyhosts.


Also, the downloaded list of known attack hosts is copied locally into
your hosts.deny file. That's all there is to it.
 
Old 01-21-2009, 01:56 PM
Neil Bothwick
 
Default Why isn't sshd blocking repeated failed login attempts?

On Wed, 21 Jan 2009 08:35:08 -0600, Paul Hartman wrote:

> I disabled the network sync but denyhosts still takes "forever" before
> denying... each IP is able to do hundreds of attempts before getting
> added to the hosts.deny file.
>

I use sshutout to add the address of repeated attempts to iptables. It's
not in portage but you can get it from
http://www.techfinesse.com/sshutout/sshutout.html

--
Neil Bothwick

What if there were no hypothetical situations?
 
Old 01-21-2009, 04:53 PM
Nikos Chantziaras
 
Default Why isn't sshd blocking repeated failed login attempts?

Paul Hartman wrote:

On Wed, Jan 21, 2009 at 6:36 AM, Nikos Chantziaras <realnc@arcor.de> wrote:

The shared list of attackers doesn't have anything to do with it. Denyhosts
checks the logs every X seconds. I think 30 by default, not sure. In that
time, there can be many more attempted logins then the maximum you have
configured in Denyhosts.

Also, the downloaded list of known attack hosts is copied locally into your
hosts.deny file. That's all there is to it.


Then what would cause it to not add a new denied host until after many
many attempts?

I disabled the network sync but denyhosts still takes "forever" before
denying... each IP is able to do hundreds of attempts before getting
added to the hosts.deny file.


Can you check the logs to see the timespan in which those hundreds of
attempts took place? Also, what's the time interval Denyhosts checks
for login attempts?
 
Old 01-22-2009, 07:31 AM
Mick
 
Default Why isn't sshd blocking repeated failed login attempts?

On Wednesday 21 January 2009, Paul Hartman wrote:
> On Wed, Jan 21, 2009 at 11:53 AM, Nikos Chantziaras <realnc@arcor.de> wrote:
> > Paul Hartman wrote:

> The most recently denied host from this afternoon made over 200 login
> attempts in a span of 17 minutes before denyhosts caught it.

You may want to have a look at fail2ban. I recall it kicks in much faster.

However, the best approach to this would probably be to use iptables and set a
limit as to how many connections an unknown host could start.
--
Regards,
Mick
 
Old 01-22-2009, 11:06 AM
Robin Atwood
 
Default Why isn't sshd blocking repeated failed login attempts?

On Thursday 22 Jan 2009, Paul Hartman wrote:
> On Wed, Jan 21, 2009 at 11:53 AM, Nikos Chantziaras <realnc@arcor.de> wrote:

> Jan 21 14:35:43 [sshd] Invalid user murray from 203.110.208.68
>
>
> So, 11 attempts in the first minute of activity (and it picked up
> pace, later on attempting every 2 seconds). Surely denyhosts should
> have blocked it already at that point based on my settings, correct?

Your regex's might not be up to snuff. Try adding the one below to
denyhosts.conf:

USERDEF_FAILED_ENTRY_REGEX=Invalid user (?P<user>.*) .*from (::ffff?
(?P<host>d{1,3}.d{1,3}.d{1,3}.d{1,3})

HTH
-Robin
--
 
Old 01-22-2009, 03:06 PM
Nikos Chantziaras
 
Default Why isn't sshd blocking repeated failed login attempts?

Paul Hartman wrote:

On Wed, Jan 21, 2009 at 11:53 AM, Nikos Chantziaras <realnc@arcor.de> wrote:

Can you check the logs to see the timespan in which those hundreds of
attempts took place? Also, what's the time interval Denyhosts checks for
login attempts?


The most recently denied host from this afternoon made over 200 login
attempts in a span of 17 minutes before denyhosts caught it. In my
denyhosts.conf I have these:

DENY_THRESHOLD_INVALID = 3
DENY_THRESHOLD_VALID = 3
DENY_THRESHOLD_ROOT = 1
DENY_THRESHOLD_RESTRICTED = 1


What is the value of DAEMON_SLEEP?
 
Old 01-22-2009, 03:37 PM
"James Homuth"
 
Default Why isn't sshd blocking repeated failed login attempts?

-----Original Message-----
From: news [mailto:news@ger.gmane.org] On Behalf Of Nikos Chantziaras
Sent: January 22, 2009 11:07 AM
To: gentoo-user@lists.gentoo.org
Subject: [gentoo-user] Re: Why isn't sshd blocking repeated failed login
attempts?

Paul Hartman wrote:
> On Wed, Jan 21, 2009 at 11:53 AM, Nikos Chantziaras <realnc@arcor.de>
wrote:
>> Can you check the logs to see the timespan in which those hundreds of
>> attempts took place? Also, what's the time interval Denyhosts checks
>> for login attempts?
>
> The most recently denied host from this afternoon made over 200 login
> attempts in a span of 17 minutes before denyhosts caught it. In my
> denyhosts.conf I have these:
>
> DENY_THRESHOLD_INVALID = 3
> DENY_THRESHOLD_VALID = 3
> DENY_THRESHOLD_ROOT = 1
> DENY_THRESHOLD_RESTRICTED = 1

What is the value of DAEMON_SLEEP?


Denyhosts doesn't pick up on certain types of PAM auth regular expressions.
If any of those appear in your logs during those 200+ attempts, Denyhosts is
probably not reading them. I've already reported it
(http://bugs.gentoo.org/show_bug.cgi?id=248047) if you want to add anything
to it.
 

Thread Tools




All times are GMT. The time now is 07:29 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org