From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org)
	by finch.gentoo.org with esmtp (Exim 4.60)
	(envelope-from <gentoo-user+bounces-89484-garchives=archives.gentoo.org@lists.gentoo.org>)
	id 1LPlsr-0005wd-UP
	for garchives@archives.gentoo.org; Wed, 21 Jan 2009 22:49:18 +0000
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 63B69E05D0;
	Wed, 21 Jan 2009 22:49:15 +0000 (UTC)
Received: from el-out-1112.google.com (el-out-1112.google.com [209.85.162.177])
	by pigeon.gentoo.org (Postfix) with ESMTP id 2AA17E05D0
	for <gentoo-user@lists.gentoo.org>; Wed, 21 Jan 2009 22:49:15 +0000 (UTC)
Received: by el-out-1112.google.com with SMTP id b25so304609elf.1
        for <gentoo-user@lists.gentoo.org>; Wed, 21 Jan 2009 14:49:14 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=domainkey-signature:mime-version:sender:received:in-reply-to
         :references:date:x-google-sender-auth:message-id:subject:from:to
         :content-type:content-transfer-encoding;
        bh=M3OxQZzsxb9V14I7usCJLdw9AMj9HBK8wkOxnD4UfWw=;
        b=ewMMnvVlNJJrHv7KAzfl5Ygm6l7pflGfvQcm4wQPabqAckFfUidbIu0Aln684aUo9Y
         htQ2MB5hBxWRcRimWGEN1GFuvTlV+FwfEqJtQ161X5xCKuehy3XFBgVSqz591/Mrxi4j
         s2AkLEBb6p1q6ZEGAT1p6/ArXIldUSQm5oGrI=
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=gamma;
        h=mime-version:sender:in-reply-to:references:date
         :x-google-sender-auth:message-id:subject:from:to:content-type
         :content-transfer-encoding;
        b=W39wqkDglQKxM6IcsDeL1ofM9rRcysmDuAe8p7lTbzpfEPNZ98B0rG1qw7PfqmDVLh
         efu5XqSc0NLz+rDvU6lo+29SWP1aS4DkiCA/sCoN4YYiXec/xMsKgS8ocRUCwSVdfJ4j
         eSfKuDZ7qg2fYdGC34Jal6vovMx9FDCV0FD/Y=
Precedence: bulk
List-Post: <mailto:gentoo-user@lists.gentoo.org>
List-Help: <mailto:gentoo-user+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-user+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-user+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-user.gentoo.org>
X-BeenThere: gentoo-user@lists.gentoo.org
Reply-to: gentoo-user@lists.gentoo.org
MIME-Version: 1.0
Sender: paul.hartman@gmail.com
Received: by 10.142.245.10 with SMTP id s10mr631463wfh.329.1232578154249; Wed, 
	21 Jan 2009 14:49:14 -0800 (PST)
In-Reply-To: <gl7nef$ehg$1@ger.gmane.org>
References: <58965d8a0901201333j458b57e8hde9fe4c857e00e2c@mail.gmail.com>
	 <c30988c30901201349h52315d03m1ac59210159c487@mail.gmail.com>
	 <58965d8a0901201354n30001077v3771d17ec20b4b03@mail.gmail.com>
	 <gl74sk$8ov$1@ger.gmane.org>
	 <58965d8a0901210635j2670c615ya760ae862125978b@mail.gmail.com>
	 <gl7nef$ehg$1@ger.gmane.org>
Date: Wed, 21 Jan 2009 16:49:14 -0600
X-Google-Sender-Auth: 715fab01ad28c0b1
Message-ID: <58965d8a0901211449x5da42120ib8a8087d97ebce70@mail.gmail.com>
Subject: Re: [gentoo-user] Re: Why isn't sshd blocking repeated failed login 
	attempts?
From: Paul Hartman <paul.hartman+gentoo@gmail.com>
To: gentoo-user@lists.gentoo.org
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-Archives-Salt: 26731d3f-8e42-410e-aa4a-2e7d19942268
X-Archives-Hash: 9532378887b80707c1e3655f443aeb66

On Wed, Jan 21, 2009 at 11:53 AM, Nikos Chantziaras <realnc@arcor.de> wrote:
> Paul Hartman wrote:
>>
>> On Wed, Jan 21, 2009 at 6:36 AM, Nikos Chantziaras <realnc@arcor.de>
>> wrote:
>>>
>>> The shared list of attackers doesn't have anything to do with it.
>>> Denyhosts
>>> checks the logs every X seconds.  I think 30 by default, not sure.  In
>>> that
>>> time, there can be many more attempted logins then the maximum you have
>>> configured in Denyhosts.
>>>
>>> Also, the downloaded list of known attack hosts is copied locally into
>>> your
>>> hosts.deny file.  That's all there is to it.
>>
>> Then what would cause it to not add a new denied host until after many
>> many attempts?
>>
>> I disabled the network sync but denyhosts still takes "forever" before
>> denying... each IP is able to do hundreds of attempts before getting
>> added to the hosts.deny file.
>
> Can you check the logs to see the timespan in which those hundreds of
> attempts took place?  Also, what's the time interval Denyhosts checks for
> login attempts?

The most recently denied host from this afternoon made over 200 login
attempts in a span of 17 minutes before denyhosts caught it. In my
denyhosts.conf I have these:

DENY_THRESHOLD_INVALID = 3
DENY_THRESHOLD_VALID = 3
DENY_THRESHOLD_ROOT = 1
DENY_THRESHOLD_RESTRICTED = 1

This is with the online sync disabled, and denyhosts running in daemon
mode (not cron). The denyhosts log file verifies that it is
interpreting those setting properly, as it shows the same values.
Weird.

Here's the beginning of the attempts:

Jan 21 14:34:48 [sshd] Invalid user apple from 203.110.208.68
Jan 21 14:34:53 [sshd] Invalid user brian from 203.110.208.68
Jan 21 14:34:59 [sshd] Invalid user andrew from 203.110.208.68
Jan 21 14:35:04 [sshd] Invalid user newsroom from 203.110.208.68
Jan 21 14:35:10 [sshd] Invalid user magazine from 203.110.208.68
Jan 21 14:35:16 [sshd] Invalid user research from 203.110.208.68
Jan 21 14:35:21 [sshd] Invalid user cjohnson from 203.110.208.68
Jan 21 14:35:27 [sshd] Invalid user export from 203.110.208.68
Jan 21 14:35:32 [sshd] Invalid user photo from 203.110.208.68
Jan 21 14:35:38 [sshd] Invalid user gast from 203.110.208.68
Jan 21 14:35:43 [sshd] Invalid user murray from 203.110.208.68


So, 11 attempts in the first minute of activity (and it picked up
pace, later on attempting every 2 seconds). Surely denyhosts should
have blocked it already at that point based on my settings, correct?

Thanks :)
Paul