Re: [gentoo-user] Why isn't sshd blocking repeated failed login attempts?

public inbox for gentoo-user@lists.gentoo.org
 help / color / mirror / Atom feed

From: Paul Hartman <paul.hartman+gentoo@gmail.com>
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] Why isn't sshd blocking repeated failed login  attempts?
Date: Tue, 20 Jan 2009 15:54:11 -0600	[thread overview]
Message-ID: <58965d8a0901201354n30001077v3771d17ec20b4b03@mail.gmail.com> (raw)
In-Reply-To: <c30988c30901201349h52315d03m1ac59210159c487@mail.gmail.com>

On Tue, Jan 20, 2009 at 3:49 PM, Joshua Murphy <poisonbl@gmail.com> wrote:
> On Tue, Jan 20, 2009 at 4:33 PM, Paul Hartman
> <paul.hartman+gentoo@gmail.com> wrote:
>> Hi,
>>
>> After setting up public key authentication i changed my sshd back to
>> port 22 and got the expected bombardment of connection attempts.
>> However, it doesn't seem to ever stop them. I'm using sshd with this
>> setting:
>>
>> MaxAuthTries 3
>>
>> in my /etc/ssh/sshd_config
>>
>> So, why does it allow unlimited failed login attempts? For example, as
>> I write this I'm seeing this in my logs:
>>
> <snip>
>>
>> I'm using denyhosts but it seems that it doesn't deny anyone until an
>> hour has passed, despite the fact I'm using the daemon which
>> constantly monitors the log file... by which time hundreds or
>> thousands of attempts can be made. Maybe that's a configuration issue
>> on my denyhosts setup, but shouldn't sshd be blocking them in the
>> first place?
>>
>> Thanks,
>> Paul
>
> I'm pretty sure MaxAuthTries 3 does nothing more than disconnect you
> after 3 failed connections (meaning all you have to do is reconnect to
> keep trying)... it doesn't do any sort of 'intelligent' protection of
> the system. DenyHosts worked great for me while I used it, but I also
> found that a firewall rule limiting connection attempts to 3 per
> source IP per 10 minute period put a big dent in the number of tries
> that denyhosts ever even had to see (though they were always enough to
> get that source blacklisted, I had things set rather restrictive).
> Something I was pointed towards on IRC, in the event that the SSH
> server you're running is primarily for your use or the use of
> knowledgeable users (fellow admins)... look up Single Packet
> Authorization (SPA).

I'm using the online denyhosts synchronization database, I think that
may negatively affect how often it blocks hosts locally, because it
waits until it does a remote sync to scan the local file. This is my
theory. I like the idea of sharing my blocks and taking advantage of
the blocks of others, but if it renders the program ineffective
against the IP /actively/ attacking my system, then it's pointless.

I'm going to turn off the online sharing of denyhosts and see if it
makes a difference.

Otherwise I guess I need to set up some kind of local firewall on this
machine to get any more fine control over the connections.

Thanks
Paul

next prev parent reply	other threads:[~2009-01-20 21:54 UTC|newest]

Thread overview: 21+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-01-20 21:33 [gentoo-user] Why isn't sshd blocking repeated failed login attempts? Paul Hartman
2009-01-20 21:47 ` Etaoin Shrdlu
2009-01-22 13:40   ` Guillermo Garron
2009-01-20 21:49 ` Joshua Murphy
2009-01-20 21:54   ` Paul Hartman [this message]
2009-01-21 12:36     ` [gentoo-user] " Nikos Chantziaras
2009-01-21 14:35       ` Paul Hartman
2009-01-21 14:56         ` Neil Bothwick
2009-01-21 17:53         ` Nikos Chantziaras
2009-01-21 22:49           ` Paul Hartman
2009-01-22  8:31             ` Mick
2009-01-22 12:06             ` Robin Atwood
2009-01-22 16:06             ` Nikos Chantziaras
2009-01-22 16:18               ` Paul Hartman
2009-01-22 16:37               ` James Homuth
2009-01-22 16:46                 ` Paul Hartman
2009-01-23 18:26                   ` Mick
2009-01-23 20:22 ` Paul Hartman
2009-01-23 21:18   ` Paul Hartman
2009-01-23 21:34     ` Paul Hartman
2009-01-26 20:10       ` Paul Hartman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=58965d8a0901201354n30001077v3771d17ec20b4b03@mail.gmail.com \
    --to=paul.hartman+gentoo@gmail.com \
    --cc=gentoo-user@lists.gentoo.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox