On Wed, Jan 21, 2009 at 11:53 AM, Nikos Chantziaras <firstname.lastname@example.org> wrote:
> Paul Hartman wrote:
>> On Wed, Jan 21, 2009 at 6:36 AM, Nikos Chantziaras <email@example.com>
>>> The shared list of attackers doesn't have anything to do with it.
>>> checks the logs every X seconds. I think 30 by default, not sure. In
>>> time, there can be many more attempted logins then the maximum you have
>>> configured in Denyhosts.
>>> Also, the downloaded list of known attack hosts is copied locally into
>>> hosts.deny file. That's all there is to it.
>> Then what would cause it to not add a new denied host until after many
>> many attempts?
>> I disabled the network sync but denyhosts still takes "forever" before
>> denying... each IP is able to do hundreds of attempts before getting
>> added to the hosts.deny file.
> Can you check the logs to see the timespan in which those hundreds of
> attempts took place? Also, what's the time interval Denyhosts checks for
> login attempts?
The most recently denied host from this afternoon made over 200 login
attempts in a span of 17 minutes before denyhosts caught it. In my
denyhosts.conf I have these:
DENY_THRESHOLD_INVALID = 3
DENY_THRESHOLD_VALID = 3
DENY_THRESHOLD_ROOT = 1
DENY_THRESHOLD_RESTRICTED = 1
This is with the online sync disabled, and denyhosts running in daemon
mode (not cron). The denyhosts log file verifies that it is
interpreting those setting properly, as it shows the same values.
Here's the beginning of the attempts:
Jan 21 14:34:48 [sshd] Invalid user apple from 22.214.171.124
Jan 21 14:34:53 [sshd] Invalid user brian from 126.96.36.199
Jan 21 14:34:59 [sshd] Invalid user andrew from 188.8.131.52
Jan 21 14:35:04 [sshd] Invalid user newsroom from 184.108.40.206
Jan 21 14:35:10 [sshd] Invalid user magazine from 220.127.116.11
Jan 21 14:35:16 [sshd] Invalid user research from 18.104.22.168
Jan 21 14:35:21 [sshd] Invalid user cjohnson from 22.214.171.124
Jan 21 14:35:27 [sshd] Invalid user export from 126.96.36.199
Jan 21 14:35:32 [sshd] Invalid user photo from 188.8.131.52
Jan 21 14:35:38 [sshd] Invalid user gast from 184.108.40.206
Jan 21 14:35:43 [sshd] Invalid user murray from 220.127.116.11
So, 11 attempts in the first minute of activity (and it picked up
pace, later on attempting every 2 seconds). Surely denyhosts should
have blocked it already at that point based on my settings, correct?