From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1LPOY1-0008If-U5 for garchives@archives.gentoo.org; Tue, 20 Jan 2009 21:54:14 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id A2D43E0562; Tue, 20 Jan 2009 21:54:12 +0000 (UTC) Received: from rv-out-0708.google.com (rv-out-0708.google.com [209.85.198.247]) by pigeon.gentoo.org (Postfix) with ESMTP id 652E4E0562 for ; Tue, 20 Jan 2009 21:54:12 +0000 (UTC) Received: by rv-out-0708.google.com with SMTP id b17so3639916rvf.46 for ; Tue, 20 Jan 2009 13:54:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:received:in-reply-to :references:date:x-google-sender-auth:message-id:subject:from:to :content-type:content-transfer-encoding; bh=cq6LvtEBiRKzeZlLOfa7PHqtTO58F3blO6K7pNQm/30=; b=nEbteENVT46pfzMgU7MCTcn8lpps+r+YivGs/H0G8Ew2n/GK/P2zMowPTdCwPvhun6 CjaKcU3UrJxTuaV5NufU0+g18Mb/KUf2qnBNMOcukWob58NVw7nvXa36jKb8yAHKG680 iB6Iwdb4VBhB/INfJkw1tEW3E0t87Aqs1lhd4= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:content-type :content-transfer-encoding; b=OIY2dmyPyFYWlzAlFAduCMLgQvTRg1+x1jwHL5n9eq3Sw5sKeVBM780IbijMTPgKgO cBJJuWb3yr/fY3WV21fxjkgrkgd55QZSV0NlXoXIFeyeU5icmagRE4gHASVrlM89ayBD YU/96qKUKfYo2E92wZPczMZtFJ1I5MvCEDqZE= Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Sender: paul.hartman@gmail.com Received: by 10.141.202.18 with SMTP id e18mr2658413rvq.127.1232488451994; Tue, 20 Jan 2009 13:54:11 -0800 (PST) In-Reply-To: References: <58965d8a0901201333j458b57e8hde9fe4c857e00e2c@mail.gmail.com> Date: Tue, 20 Jan 2009 15:54:11 -0600 X-Google-Sender-Auth: fa061153af3e6a24 Message-ID: <58965d8a0901201354n30001077v3771d17ec20b4b03@mail.gmail.com> Subject: Re: [gentoo-user] Why isn't sshd blocking repeated failed login attempts? From: Paul Hartman To: gentoo-user@lists.gentoo.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Archives-Salt: 118613f4-c527-4c3c-9497-10818532ba26 X-Archives-Hash: d1382d4ba5f685fedef9754e08cbce54 On Tue, Jan 20, 2009 at 3:49 PM, Joshua Murphy wrote: > On Tue, Jan 20, 2009 at 4:33 PM, Paul Hartman > wrote: >> Hi, >> >> After setting up public key authentication i changed my sshd back to >> port 22 and got the expected bombardment of connection attempts. >> However, it doesn't seem to ever stop them. I'm using sshd with this >> setting: >> >> MaxAuthTries 3 >> >> in my /etc/ssh/sshd_config >> >> So, why does it allow unlimited failed login attempts? For example, as >> I write this I'm seeing this in my logs: >> > >> >> I'm using denyhosts but it seems that it doesn't deny anyone until an >> hour has passed, despite the fact I'm using the daemon which >> constantly monitors the log file... by which time hundreds or >> thousands of attempts can be made. Maybe that's a configuration issue >> on my denyhosts setup, but shouldn't sshd be blocking them in the >> first place? >> >> Thanks, >> Paul > > I'm pretty sure MaxAuthTries 3 does nothing more than disconnect you > after 3 failed connections (meaning all you have to do is reconnect to > keep trying)... it doesn't do any sort of 'intelligent' protection of > the system. DenyHosts worked great for me while I used it, but I also > found that a firewall rule limiting connection attempts to 3 per > source IP per 10 minute period put a big dent in the number of tries > that denyhosts ever even had to see (though they were always enough to > get that source blacklisted, I had things set rather restrictive). > Something I was pointed towards on IRC, in the event that the SSH > server you're running is primarily for your use or the use of > knowledgeable users (fellow admins)... look up Single Packet > Authorization (SPA). I'm using the online denyhosts synchronization database, I think that may negatively affect how often it blocks hosts locally, because it waits until it does a remote sync to scan the local file. This is my theory. I like the idea of sharing my blocks and taking advantage of the blocks of others, but if it renders the program ineffective against the IP /actively/ attacking my system, then it's pointless. I'm going to turn off the online sharing of denyhosts and see if it makes a difference. Otherwise I guess I need to set up some kind of local firewall on this machine to get any more fine control over the connections. Thanks Paul