From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1LQ2hZ-0000yE-TC for garchives@archives.gentoo.org; Thu, 22 Jan 2009 16:46:46 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 118DEE0455; Thu, 22 Jan 2009 16:46:44 +0000 (UTC) Received: from rv-out-0708.google.com (rv-out-0708.google.com [209.85.198.250]) by pigeon.gentoo.org (Postfix) with ESMTP id CEE90E0455 for ; Thu, 22 Jan 2009 16:46:43 +0000 (UTC) Received: by rv-out-0708.google.com with SMTP id b17so4642575rvf.46 for ; Thu, 22 Jan 2009 08:46:43 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:received:in-reply-to :references:date:x-google-sender-auth:message-id:subject:from:to :content-type:content-transfer-encoding; bh=gW1oHuYsJwYQC6k0HUHux1A9BlbvEX2AtLNZWpsgBx8=; b=QC/2HmRxT6UcNbb1uNQ7/An8vawC6jpHGuMlVOpnQPxGNR6sYrEkzU3gXOGtVrSR9A qFO2r9kN68diZqTpFL5Q1ppHEzSEzCzYVMo2pb7fTXVKo0PHtYbzoxMMnONxK4Ukpbk6 4l7OV2oILqOQ6L6hYQTw582CCvflYIay0aKMg= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:content-type :content-transfer-encoding; b=xpQ2aQSLJuHUpcpN/jCZfShvErTLuqrwI/GQz+XAvpidzM8gKd4Yy5CiKLc/PI+odO qqqLxp+3/d4uefJ/22kM7MT+jUlUwi4axA/SHRJPXuAAxrE8RCdPBCC/Bn3YCQQj6cEG 9s3hWHj7YE0kbx31egFhtH6qx+/qilWBnhtAw= Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Sender: paul.hartman@gmail.com Received: by 10.140.163.12 with SMTP id l12mr2408192rve.41.1232642803346; Thu, 22 Jan 2009 08:46:43 -0800 (PST) In-Reply-To: <061701c97caf$c5e21960$6400a8c0@quan> References: <58965d8a0901201333j458b57e8hde9fe4c857e00e2c@mail.gmail.com> <58965d8a0901201354n30001077v3771d17ec20b4b03@mail.gmail.com> <58965d8a0901210635j2670c615ya760ae862125978b@mail.gmail.com> <58965d8a0901211449x5da42120ib8a8087d97ebce70@mail.gmail.com> <061701c97caf$c5e21960$6400a8c0@quan> Date: Thu, 22 Jan 2009 10:46:43 -0600 X-Google-Sender-Auth: c5e1b0832bad7cf4 Message-ID: <58965d8a0901220846j13c888b1lca08df02a87fd6d4@mail.gmail.com> Subject: Re: [gentoo-user] Re: Why isn't sshd blocking repeated failed login attempts? From: Paul Hartman To: gentoo-user@lists.gentoo.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Archives-Salt: e6bbb513-e94f-4078-8836-e8cf0c573681 X-Archives-Hash: b05d9f5c1aa9000cdc8e74dcb0278d7b On Thu, Jan 22, 2009 at 10:37 AM, James Homuth wrote: > > > -----Original Message----- > From: news [mailto:news@ger.gmane.org] On Behalf Of Nikos Chantziaras > Sent: January 22, 2009 11:07 AM > To: gentoo-user@lists.gentoo.org > Subject: [gentoo-user] Re: Why isn't sshd blocking repeated failed login > attempts? > > Paul Hartman wrote: >> On Wed, Jan 21, 2009 at 11:53 AM, Nikos Chantziaras > wrote: >>> Can you check the logs to see the timespan in which those hundreds of >>> attempts took place? Also, what's the time interval Denyhosts checks >>> for login attempts? >> >> The most recently denied host from this afternoon made over 200 login >> attempts in a span of 17 minutes before denyhosts caught it. In my >> denyhosts.conf I have these: >> >> DENY_THRESHOLD_INVALID = 3 >> DENY_THRESHOLD_VALID = 3 >> DENY_THRESHOLD_ROOT = 1 >> DENY_THRESHOLD_RESTRICTED = 1 > > What is the value of DAEMON_SLEEP? > > > Denyhosts doesn't pick up on certain types of PAM auth regular expressions. > If any of those appear in your logs during those 200+ attempts, Denyhosts is > probably not reading them. I've already reported it > (http://bugs.gentoo.org/show_bug.cgi?id=248047) if you want to add anything > to it. I don't use PAM in sshd so I don't think that's my problem, but the whole regexp thing is a possiblity in general as someone else suggested. I will check into it tonight after work. Thanks, Paul