From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1LPyKW-0000f1-Iy for garchives@archives.gentoo.org; Thu, 22 Jan 2009 12:06:40 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 52973E0249; Thu, 22 Jan 2009 12:06:37 +0000 (UTC) Received: from kcout02.prserv.net (kcout02.prserv.net [12.154.55.32]) by pigeon.gentoo.org (Postfix) with ESMTP id 331EEE0249 for ; Thu, 22 Jan 2009 12:06:37 +0000 (UTC) Received: from opal.binro.org (adsl-dynamic-58-136-48-9.csloxinfo.net[58.136.48.9]) by prserv.net (kcout02) with ESMTP id <2009012212063520200f9tn2e> (Authid: gbinet.atwoodr); Thu, 22 Jan 2009 12:06:36 +0000 X-Originating-IP: [58.136.48.9] Received: from opal.binro.org (localhost.localdomain [127.0.0.1]) by opal.binro.org (8.14.2/8.14.2) with ESMTP id n0MC6VWK028016 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Thu, 22 Jan 2009 19:06:31 +0700 Received: from localhost (localhost [[UNIX: localhost]]) by opal.binro.org (8.14.2/8.14.2/Submit) id n0MC6Ud3028015 for gentoo-user@lists.gentoo.org; Thu, 22 Jan 2009 19:06:30 +0700 X-Authentication-Warning: opal.binro.org: robin set sender to robin.atwood@attglobal.net using -f From: Robin Atwood To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Re: Why isn't sshd blocking repeated failed login attempts? Date: Thu, 22 Jan 2009 19:06:30 +0700 User-Agent: KMail/1.9.10 References: <58965d8a0901201333j458b57e8hde9fe4c857e00e2c@mail.gmail.com> <58965d8a0901211449x5da42120ib8a8087d97ebce70@mail.gmail.com> In-Reply-To: <58965d8a0901211449x5da42120ib8a8087d97ebce70@mail.gmail.com> X-Face: /Bm#Rf"Wt\%rfp|[wzT9P_2/6'JhtmzsD{l]pQmpS|%~I$/L|cF}gvz%I({,a)=?utf-8?q?=7BQtrsE*b=0A=09=5CflE8do=3A=2E0zdnO3lq=60+2rr=5Fmv/faNpra?= =?utf-8?q?=5D=2EeH+=23sG-9GL/dPC=2Ex?="9x]+y5\k^8h(" =?utf-8?q?sp=2Eu*z=0A=09=3FSbc=3AWZo=25ycAGh=5F/NBuC=60?=@9EdNnWH_~<" =?utf-8?q?=60=23zq=3A!K5Wpc=3FG=2Ey=26SxfiRpfFU9=25c=23uD=7D=3Bc+?= =?utf-8?q?D=3F=0A=09?=,|u`9frBEQzC)~Y~%z6tO>!5\8*$:t,ol)N_S}~^h>2)3*UL;g\W-ptU, =?utf-8?q?R=23=60HW=23y=25tGh*=2E=0A=096pO=26vnofmf=5Dzt=271=5BF1v=7B=25N=2E?= =?utf-8?q?Qg2KI=3Dd=3B?=,ZbOc6u>@FD8/sQ}XCCtV`yPwnlMm|iY~dxfY? Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200901221906.30369.robin.atwood@attglobal.net> X-Archives-Salt: eeb7a244-bffe-43e6-a295-d6b19bf2a3a1 X-Archives-Hash: 99d51334126122a650f542c431a904f7 On Thursday 22 Jan 2009, Paul Hartman wrote: > On Wed, Jan 21, 2009 at 11:53 AM, Nikos Chantziaras wrote: > Jan 21 14:35:43 [sshd] Invalid user murray from 203.110.208.68 > > > So, 11 attempts in the first minute of activity (and it picked up > pace, later on attempting every 2 seconds). Surely denyhosts should > have blocked it already at that point based on my settings, correct? Your regex's might not be up to snuff. Try adding the one below to denyhosts.conf: USERDEF_FAILED_ENTRY_REGEX=Invalid user (?P.*) .*from (::ffff:)? (?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) HTH -Robin --