[gentoo-user] Re: Why isn't sshd blocking repeated failed login attempts?

[Paul Hartman <paul.hartman+gentoo@gmail.com>]

On Fri, Jan 23, 2009 at 2:22 PM, Paul Hartman
<paul.hartman+gentoo@gmail.com> wrote:
> On Tue, Jan 20, 2009 at 3:33 PM, Paul Hartman
> <paul.hartman+gentoo@gmail.com> wrote:
>> Hi,
>>
>> After setting up public key authentication i changed my sshd back to
>> port 22 and got the expected bombardment of connection attempts.
>> However, it doesn't seem to ever stop them. I'm using sshd with this
>> setting:
>>
>> MaxAuthTries 3
>>
>> in my /etc/ssh/sshd_config
> [cut]
>
> Okay, I have some possible new embarrassing information... as well as
> some new questions about access control. After combining all logs in
> chronological order, it appears denyhosts IS properly adding the new
> host to /etc/hosts.deny but it is simply not causing it to be
> denied... See this sample:
>
> Jan 22 18:42:58 [sshd] Invalid user staff from 59.185.104.218
> Jan 22 18:43:01 [sshd] Invalid user sales from 59.185.104.218
> Jan 22 18:43:03 [sshd] Invalid user recruit from 59.185.104.218
> Jan 22 18:43:06 [denyhosts] Added the following hosts to
> /etc/hosts.deny - 59.185.104.218
> (triband-mum-59.185.104.218.mtnl.net.in)
> Jan 22 18:43:06 [sshd] Invalid user alias from 59.185.104.218
> Jan 22 18:43:09 [sshd] Invalid user office from 59.185.104.218
> Jan 22 18:43:11 [sshd] Invalid user samba from 59.185.104.218
> Jan 22 18:43:14 [sshd] Invalid user tomcat from 59.185.104.218
> Jan 22 18:43:22 [sshd] Invalid user webadmin from 59.185.104.218
>
> So now I am going back to what I should have looked at in the very
> beginning, my hosts.allow and hosts.deny rules.
>
> hosts.allow:
> sshd: ALL
> portmap: 127.0.0.1, 192.168.0.0/255.255.255.0
> lockd: 127.0.0.1, 192.168.0.0/255.255.255.0
> rquotad: 127.0.0.1, 192.168.0.0/255.255.255.0
> mountd: 127.0.0.1, 192.168.0.0/255.255.255.0
> statd: 127.0.0.1, 192.168.0.0/255.255.255.0
> ALL: 127.0.0.1, 192.168.0.0/255.255.255.0
>
>
> hosts.deny:
> ALL: ALL
> sshd: 58.213.125.25
> sshd: 75.37.250.107
> sshd: 147.83.29.83
> sshd: 59.185.104.218
> sshd: 210.40.128.31
> (and so on)
>
> From the manpage:
>
> ACCESS CONTROL FILES
>       The access control software consults two files. The search
> stops at the first match:
>       -      Access will be granted when a (daemon,client) pair
> matches an entry in the /etc/hosts.allow file.
>       -      Otherwise, access will be denied when a (daemon,client)
> pair matches an entry in the /etc/hosts.deny file.
>       -      Otherwise, access will be granted.
>
> doh! So, basically, when it sees sshd: ALL in hosts.allow, it stops
> and allows access to everyone. It never even gets around to checking
> the hosts.deny file. The fact that the login attempts stopped after
> about an hour must have been purely coincidence.
>
> My intended purpose for those entires was to allow all sshd unless
> they are in the deny file, but I also want to deny everything else
> that doesn't have an explicit allow/deny rule. I don't think this is
> possible using hosts.allow/hosts.deny unless I enumerate every
> service. The deny ALL: ALL will deny me access to sshd.
>
> I essentially want it to work the other way around. Deny access by
> default unless there is an allow rule. I don't think I can do that,
> though. If I put ALL: ALL or sshd: ALL in the hosts.deny file, it will
> deny ME access to my own machine. I don't want that. Since I don't
> have a specific IP i will connect from, I can't allow any specific IP
> (or else I'd be doing it that way already).
>
> How can I accomplish this?:
>
> Allow all ssh connections unless they are in hosts.deny
> Deny all other connections unless they are in hosts.allow
>
> Thanks and sorry for the misdirection :)
> Paul
>

After reading more, I see there is an EXCEPT rule as well.. so I can
theoretically deny:

ALL: ALL EXCEPT sshd
and hopefully that will do what I was wanting... time to try it :)