On Tue, Jan 20, 2009 at 3:49 PM, Joshua Murphy <poisonbl@gmail.com> wrote:
> On Tue, Jan 20, 2009 at 4:33 PM, Paul Hartman
> <paul.hartman+gentoo@gmail.com> wrote:
>> Hi,
>>
>> After setting up public key authentication i changed my sshd back to
>> port 22 and got the expected bombardment of connection attempts.
>> However, it doesn't seem to ever stop them. I'm using sshd with this
>> setting:
>>
>> MaxAuthTries 3
>>
>> in my /etc/ssh/sshd_config
>>
>> So, why does it allow unlimited failed login attempts? For example, as
>> I write this I'm seeing this in my logs:
>>
> <snip>
>>
>> I'm using denyhosts but it seems that it doesn't deny anyone until an
>> hour has passed, despite the fact I'm using the daemon which
>> constantly monitors the log file... by which time hundreds or
>> thousands of attempts can be made. Maybe that's a configuration issue
>> on my denyhosts setup, but shouldn't sshd be blocking them in the
>> first place?
>>
>> Thanks,
>> Paul
>
> I'm pretty sure MaxAuthTries 3 does nothing more than disconnect you
> after 3 failed connections (meaning all you have to do is reconnect to
> keep trying)... it doesn't do any sort of 'intelligent' protection of
> the system. DenyHosts worked great for me while I used it, but I also
> found that a firewall rule limiting connection attempts to 3 per
> source IP per 10 minute period put a big dent in the number of tries
> that denyhosts ever even had to see (though they were always enough to
> get that source blacklisted, I had things set rather restrictive).
> Something I was pointed towards on IRC, in the event that the SSH
> server you're running is primarily for your use or the use of
> knowledgeable users (fellow admins)... look up Single Packet
> Authorization (SPA).

I'm using the online denyhosts synchronization database, I think that
may negatively affect how often it blocks hosts locally, because it
waits until it does a remote sync to scan the local file. This is my
theory. I like the idea of sharing my blocks and taking advantage of
the blocks of others, but if it renders the program ineffective
against the IP /actively/ attacking my system, then it's pointless.

I'm going to turn off the online sharing of denyhosts and see if it
makes a difference.

Otherwise I guess I need to set up some kind of local firewall on this
machine to get any more fine control over the connections.

Thanks
Paul

On Wed, Jan 21, 2009 at 6:36 AM, Nikos Chantziaras <realnc@arcor.de> wrote:
> Paul Hartman wrote:
>>
>> I'm using the online denyhosts synchronization database, I think that
>> may negatively affect how often it blocks hosts locally, because it
>> waits until it does a remote sync to scan the local file. This is my
>> theory. I like the idea of sharing my blocks and taking advantage of
>> the blocks of others, but if it renders the program ineffective
>> against the IP /actively/ attacking my system, then it's pointless.
>>
>> I'm going to turn off the online sharing of denyhosts and see if it
>> makes a difference.
>>
>> Otherwise I guess I need to set up some kind of local firewall on this
>> machine to get any more fine control over the connections.
>
> The shared list of attackers doesn't have anything to do with it. Denyhosts
> checks the logs every X seconds. I think 30 by default, not sure. In that
> time, there can be many more attempted logins then the maximum you have
> configured in Denyhosts.
>
> Also, the downloaded list of known attack hosts is copied locally into your
> hosts.deny file. That's all there is to it.

Then what would cause it to not add a new denied host until after many
many attempts?

I disabled the network sync but denyhosts still takes "forever" before
denying... each IP is able to do hundreds of attempts before getting
added to the hosts.deny file.

On Wed, Jan 21, 2009 at 11:53 AM, Nikos Chantziaras <realnc@arcor.de> wrote:
> Paul Hartman wrote:
>>
>> On Wed, Jan 21, 2009 at 6:36 AM, Nikos Chantziaras <realnc@arcor.de>
>> wrote:
>>>
>>> The shared list of attackers doesn't have anything to do with it.
>>> Denyhosts
>>> checks the logs every X seconds. I think 30 by default, not sure. In
>>> that
>>> time, there can be many more attempted logins then the maximum you have
>>> configured in Denyhosts.
>>>
>>> Also, the downloaded list of known attack hosts is copied locally into
>>> your
>>> hosts.deny file. That's all there is to it.
>>
>> Then what would cause it to not add a new denied host until after many
>> many attempts?
>>
>> I disabled the network sync but denyhosts still takes "forever" before
>> denying... each IP is able to do hundreds of attempts before getting
>> added to the hosts.deny file.
>
> Can you check the logs to see the timespan in which those hundreds of
> attempts took place? Also, what's the time interval Denyhosts checks for
> login attempts?

The most recently denied host from this afternoon made over 200 login
attempts in a span of 17 minutes before denyhosts caught it. In my
denyhosts.conf I have these:

DENY_THRESHOLD_INVALID = 3
DENY_THRESHOLD_VALID = 3
DENY_THRESHOLD_ROOT = 1
DENY_THRESHOLD_RESTRICTED = 1

This is with the online sync disabled, and denyhosts running in daemon
mode (not cron). The denyhosts log file verifies that it is
interpreting those setting properly, as it shows the same values.
Weird.

Here's the beginning of the attempts:

Jan 21 14:34:48 [sshd] Invalid user apple from 203.110.208.68
Jan 21 14:34:53 [sshd] Invalid user brian from 203.110.208.68
Jan 21 14:34:59 [sshd] Invalid user andrew from 203.110.208.68
Jan 21 14:35:04 [sshd] Invalid user newsroom from 203.110.208.68
Jan 21 14:35:10 [sshd] Invalid user magazine from 203.110.208.68
Jan 21 14:35:16 [sshd] Invalid user research from 203.110.208.68
Jan 21 14:35:21 [sshd] Invalid user cjohnson from 203.110.208.68
Jan 21 14:35:27 [sshd] Invalid user export from 203.110.208.68
Jan 21 14:35:32 [sshd] Invalid user photo from 203.110.208.68
Jan 21 14:35:38 [sshd] Invalid user gast from 203.110.208.68
Jan 21 14:35:43 [sshd] Invalid user murray from 203.110.208.68


So, 11 attempts in the first minute of activity (and it picked up
pace, later on attempting every 2 seconds). Surely denyhosts should
have blocked it already at that point based on my settings, correct?

Thanks
Paul

On Tue, Jan 20, 2009 at 5:47 PM, Etaoin Shrdlu <shrdlu@unlimitedmail.org> wrote:
> On Tuesday 20 January 2009, 22:33, Paul Hartman wrote:
>> Hi,
>>
>> After setting up public key authentication i changed my sshd back to
>> port 22 and got the expected bombardment of connection attempts.
>> However, it doesn't seem to ever stop them. I'm using sshd with this
>> setting:
>>
>> MaxAuthTries 3
>>
>> in my /etc/ssh/sshd_config
>>
>> So, why does it allow unlimited failed login attempts? For example, as
>> I write this I'm seeing this in my logs:
>>
>> Jan 20 14:54:38 [sshd] Invalid user ejin from 72.70.42.36
>> Jan 20 14:54:39 [sshd] Invalid user core from 72.70.42.36
>> [cut]
>
> What MaxAuthTries does is just start logging the failed attempts when
> they reach ( value / 2 ).
>
> MaxAuthTries
> Specifies the maximum number of authentication attempts
> permitted per connection. Once the number of failures
> reaches half this value, additional failures are logged.
> The default is 6.

Hi,

I use this

http://www.go2linux.org/fail2ban-secure-linux-services-from-brute-forces-attacks

or this

http://www.go2linux.org/denyhosts-secure-your-linux-against-dictionary-attacks

you may also want to read this:

http://www.go2linux.org/disable-ssh-root-direct-login
>
>
>
>



--
Guillermo Garron
"Linux IS user friendly... It's just selective about who its friends are."
(Using Ubuntu, Debian, Gentoo)
http://feeds.feedburner.com/go2linux
http://www.go2linux.org

On Thu, Jan 22, 2009 at 10:06 AM, Nikos Chantziaras <realnc@arcor.de> wrote:
> Paul Hartman wrote:
>>
>> On Wed, Jan 21, 2009 at 11:53 AM, Nikos Chantziaras <realnc@arcor.de>
>> wrote:
>>>
>>> Can you check the logs to see the timespan in which those hundreds of
>>> attempts took place? Also, what's the time interval Denyhosts checks for
>>> login attempts?
>>
>> The most recently denied host from this afternoon made over 200 login
>> attempts in a span of 17 minutes before denyhosts caught it. In my
>> denyhosts.conf I have these:
>>
>> DENY_THRESHOLD_INVALID = 3
>> DENY_THRESHOLD_VALID = 3
>> DENY_THRESHOLD_ROOT = 1
>> DENY_THRESHOLD_RESTRICTED = 1
>
> What is the value of DAEMON_SLEEP?

################################################## #####################
#
# DAEMON_SLEEP: when DenyHosts is run in daemon mode (--daemon flag)
# this is the amount of time DenyHosts will sleep between polling
# the SECURE_LOG. See the comments in the PURGE_DENY section (above)
# for details on specifying this value or for complete details
# refer to: http://denyhosts.sourceforge.net/faq.html#timespec
#
#
DAEMON_SLEEP = 30s

On Thu, Jan 22, 2009 at 10:37 AM, James Homuth <james@the-jdh.com> wrote:
>
>
> -----Original Message-----
> From: news [mailto:news@ger.gmane.org] On Behalf Of Nikos Chantziaras
> Sent: January 22, 2009 11:07 AM
> To: gentoo-user@lists.gentoo.org
> Subject: [gentoo-user] Re: Why isn't sshd blocking repeated failed login
> attempts?
>
> Paul Hartman wrote:
>> On Wed, Jan 21, 2009 at 11:53 AM, Nikos Chantziaras <realnc@arcor.de>
> wrote:
>>> Can you check the logs to see the timespan in which those hundreds of
>>> attempts took place? Also, what's the time interval Denyhosts checks
>>> for login attempts?
>>
>> The most recently denied host from this afternoon made over 200 login
>> attempts in a span of 17 minutes before denyhosts caught it. In my
>> denyhosts.conf I have these:
>>
>> DENY_THRESHOLD_INVALID = 3
>> DENY_THRESHOLD_VALID = 3
>> DENY_THRESHOLD_ROOT = 1
>> DENY_THRESHOLD_RESTRICTED = 1
>
> What is the value of DAEMON_SLEEP?
>
>
> Denyhosts doesn't pick up on certain types of PAM auth regular expressions.
> If any of those appear in your logs during those 200+ attempts, Denyhosts is
> probably not reading them. I've already reported it
> (http://bugs.gentoo.org/show_bug.cgi?id=248047) if you want to add anything
> to it.

I don't use PAM in sshd so I don't think that's my problem, but the
whole regexp thing is a possiblity in general as someone else
suggested. I will check into it tonight after work.

Thanks,

Paul

On Fri, Jan 23, 2009 at 2:33 PM, Alan McKinnon <alan.mckinnon@gmail.com> wrote:
> On Friday 23 January 2009 22:22:17 Paul Hartman wrote:
>> I essentially want it to work the other way around. Deny access by
>> default unless there is an allow rule. I don't think I can do that,
>> though. If I put ALL: ALL or sshd: ALL in the hosts.deny file, it will
>> deny ME access to my own machine. I don't want that. Since I don't
>> have a specific IP i will connect from, I can't allow any specific IP
>> (or else I'd be doing it that way already).
>>
>> How can I accomplish this?:
>>
>> Allow all ssh connections unless they are in hosts.deny
>> Deny all other connections unless they are in hosts.allow
>
> Have you looked at port knocking?
>
> It's a complete ball ache to set up and use, far less useful than it seems,
> but it might also solve your conundrum.
>
> A friend once mentioned on a forum that he'd managed to set up static libwrap
> rules in hosts.allow|deny for addresses that don't change and additionally
> port-knocking for himself to open up port 22 for a few minutes. I don't
> recall how he did this, only that he claimed to have done it.

I've never tried it but I have always liked the idea. I connect to
sshd from linux (my laptop), windows (my work desktop) and symbian (my
phone).

knockd and the knocking client should be no problem for linux &
windows, but for my phone I'd probably have to make one myself. Is it
as simple as making a connection to a specific sequence of ports with
specific timing? I could probably do that easily in python. Sounds
like a project for this weekend.

thanks,
paul