From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1LPeAj-0004AV-0U for garchives@archives.gentoo.org; Wed, 21 Jan 2009 14:35:13 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 5C46AE03DE; Wed, 21 Jan 2009 14:35:09 +0000 (UTC) Received: from rv-out-0708.google.com (rv-out-0708.google.com [209.85.198.248]) by pigeon.gentoo.org (Postfix) with ESMTP id 2DC37E03DE for ; Wed, 21 Jan 2009 14:35:09 +0000 (UTC) Received: by rv-out-0708.google.com with SMTP id b17so4006453rvf.46 for ; Wed, 21 Jan 2009 06:35:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:received:in-reply-to :references:date:x-google-sender-auth:message-id:subject:from:to :content-type:content-transfer-encoding; bh=j0ZrG8sc9oriM8nEJLqxM5wQ4S3bDmeNyMIj21GWG58=; b=yD4IqAbAhN/i0OTgeL7rzQsbgMLMoDnDcZvDUATdxyEflp+92yUjiuWo96NgKOwZL0 NlIieGxnhpHipzGU2jT7CZ2GvlpSyzwJiEriGAKa4Av5EkBFKj6qZTMm7Nk5RN4qLbrg aUO9aGHvkZZEVGqO0tATkqubPf0kLZf4UHTDU= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:content-type :content-transfer-encoding; b=YAqq9Hd7N+4VCoOpXSqHnjxcgdjCp24pnQdGeqxvP7sqZBYoq42RZzkiifccZTFh1h luGRb/06J7t++xFk3M2ReQuRHwcKAJ9168MgTfBwPvABudDLU6DZVEQSyUj4crBLpZmY 9IcjNnsGrjn4sreP+Ef5YVchhoxTezQ/gRihQ= Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Sender: paul.hartman@gmail.com Received: by 10.141.87.13 with SMTP id p13mr3996091rvl.286.1232548508840; Wed, 21 Jan 2009 06:35:08 -0800 (PST) In-Reply-To: References: <58965d8a0901201333j458b57e8hde9fe4c857e00e2c@mail.gmail.com> <58965d8a0901201354n30001077v3771d17ec20b4b03@mail.gmail.com> Date: Wed, 21 Jan 2009 08:35:08 -0600 X-Google-Sender-Auth: 7b22aea658eb6d51 Message-ID: <58965d8a0901210635j2670c615ya760ae862125978b@mail.gmail.com> Subject: Re: [gentoo-user] Re: Why isn't sshd blocking repeated failed login attempts? From: Paul Hartman To: gentoo-user@lists.gentoo.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Archives-Salt: 08a7bedb-edd8-4dbb-bc74-b6c06540ea17 X-Archives-Hash: 05fcbc05f0d70991358d2f0bda14a1c6 On Wed, Jan 21, 2009 at 6:36 AM, Nikos Chantziaras wrote: > Paul Hartman wrote: >> >> I'm using the online denyhosts synchronization database, I think that >> may negatively affect how often it blocks hosts locally, because it >> waits until it does a remote sync to scan the local file. This is my >> theory. I like the idea of sharing my blocks and taking advantage of >> the blocks of others, but if it renders the program ineffective >> against the IP /actively/ attacking my system, then it's pointless. >> >> I'm going to turn off the online sharing of denyhosts and see if it >> makes a difference. >> >> Otherwise I guess I need to set up some kind of local firewall on this >> machine to get any more fine control over the connections. > > The shared list of attackers doesn't have anything to do with it. Denyhosts > checks the logs every X seconds. I think 30 by default, not sure. In that > time, there can be many more attempted logins then the maximum you have > configured in Denyhosts. > > Also, the downloaded list of known attack hosts is copied locally into your > hosts.deny file. That's all there is to it. Then what would cause it to not add a new denied host until after many many attempts? I disabled the network sync but denyhosts still takes "forever" before denying... each IP is able to do hundreds of attempts before getting added to the hosts.deny file.