From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1LRXmn-0006WG-Op for garchives@archives.gentoo.org; Mon, 26 Jan 2009 20:10:22 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 7EEADE0334; Mon, 26 Jan 2009 20:10:20 +0000 (UTC) Received: from rv-out-0708.google.com (rv-out-0708.google.com [209.85.198.251]) by pigeon.gentoo.org (Postfix) with ESMTP id 41E9DE0334 for ; Mon, 26 Jan 2009 20:10:20 +0000 (UTC) Received: by rv-out-0708.google.com with SMTP id b17so6532701rvf.46 for ; Mon, 26 Jan 2009 12:10:19 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:received:in-reply-to :references:date:x-google-sender-auth:message-id:subject:from:to :content-type:content-transfer-encoding; bh=ADyN1NqoXGrft51TfYmk2u485FIzBtzrCxSStLo92MY=; b=aiIwQstltuFJqszWj1ia33IEhGI51obWXvHh+H4x3+4PkbVRh4gx0IMku6iMdIRtSk zTpb9qy/x52bifCNqPgqVSqrmmjfh7DG1u1rww5210z/cagRYWR8kL9ejk9gwgQv2h/z PqH1zCoqZxv9h0KlJXuUPlnmd0OCuhw0j5sUA= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:content-type :content-transfer-encoding; b=Kp6RAxrUIv6NrY04SQtZqmi0J4ryhHcsjPji4nf+sWAcmMPb23pi1b5NJv44ApOs2z 25HSrUZlqFVESG4he84f8eifqEEhrqSLj7g8gvbJsc/wbgTqnBduzR0LbpHcfGpfXWOI d04NgDmyGhwNJvnMK7Y8knpRDfaaBt538ChTE= Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Sender: paul.hartman@gmail.com Received: by 10.140.128.3 with SMTP id a3mr993241rvd.232.1233000619842; Mon, 26 Jan 2009 12:10:19 -0800 (PST) In-Reply-To: <58965d8a0901231334l102f587fr9673255a0eac0ed6@mail.gmail.com> References: <58965d8a0901201333j458b57e8hde9fe4c857e00e2c@mail.gmail.com> <58965d8a0901231222k69325ae0gaac23c45af3c6e85@mail.gmail.com> <58965d8a0901231318jda9e3ddg1f7dd491d420401d@mail.gmail.com> <58965d8a0901231334l102f587fr9673255a0eac0ed6@mail.gmail.com> Date: Mon, 26 Jan 2009 14:10:19 -0600 X-Google-Sender-Auth: a4b699e55d66e6c6 Message-ID: <58965d8a0901261210s70732968hb3ba43d7c8bf32b5@mail.gmail.com> Subject: [gentoo-user] Re: Why isn't sshd blocking repeated failed login attempts? From: Paul Hartman To: gentoo-user@lists.gentoo.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Archives-Salt: b5b17371-d6d8-454c-a5ff-d69aad1c46c8 X-Archives-Hash: f8b2387be983db3320921fcb3f783ff7 On Fri, Jan 23, 2009 at 3:34 PM, Paul Hartman wrote: > On Fri, Jan 23, 2009 at 3:18 PM, Paul Hartman > wrote: >> On Fri, Jan 23, 2009 at 2:22 PM, Paul Hartman >> wrote: >>> On Tue, Jan 20, 2009 at 3:33 PM, Paul Hartman >>> wrote: >>>> Hi, >>>> >>>> After setting up public key authentication i changed my sshd back to >>>> port 22 and got the expected bombardment of connection attempts. >>>> However, it doesn't seem to ever stop them. I'm using sshd with this >>>> setting: >>>> >>>> MaxAuthTries 3 >>>> >>>> in my /etc/ssh/sshd_config >>> [cut] >>> >>> Okay, I have some possible new embarrassing information... as well as >>> some new questions about access control. After combining all logs in >>> chronological order, it appears denyhosts IS properly adding the new >>> host to /etc/hosts.deny but it is simply not causing it to be >>> denied... See this sample: >>> >>> Jan 22 18:42:58 [sshd] Invalid user staff from 59.185.104.218 >>> Jan 22 18:43:01 [sshd] Invalid user sales from 59.185.104.218 >>> Jan 22 18:43:03 [sshd] Invalid user recruit from 59.185.104.218 >>> Jan 22 18:43:06 [denyhosts] Added the following hosts to >>> /etc/hosts.deny - 59.185.104.218 >>> (triband-mum-59.185.104.218.mtnl.net.in) >>> Jan 22 18:43:06 [sshd] Invalid user alias from 59.185.104.218 >>> Jan 22 18:43:09 [sshd] Invalid user office from 59.185.104.218 >>> Jan 22 18:43:11 [sshd] Invalid user samba from 59.185.104.218 >>> Jan 22 18:43:14 [sshd] Invalid user tomcat from 59.185.104.218 >>> Jan 22 18:43:22 [sshd] Invalid user webadmin from 59.185.104.218 >>> >>> So now I am going back to what I should have looked at in the very >>> beginning, my hosts.allow and hosts.deny rules. >>> >>> hosts.allow: >>> sshd: ALL >>> portmap: 127.0.0.1, 192.168.0.0/255.255.255.0 >>> lockd: 127.0.0.1, 192.168.0.0/255.255.255.0 >>> rquotad: 127.0.0.1, 192.168.0.0/255.255.255.0 >>> mountd: 127.0.0.1, 192.168.0.0/255.255.255.0 >>> statd: 127.0.0.1, 192.168.0.0/255.255.255.0 >>> ALL: 127.0.0.1, 192.168.0.0/255.255.255.0 >>> >>> >>> hosts.deny: >>> ALL: ALL >>> sshd: 58.213.125.25 >>> sshd: 75.37.250.107 >>> sshd: 147.83.29.83 >>> sshd: 59.185.104.218 >>> sshd: 210.40.128.31 >>> (and so on) >>> >>> From the manpage: >>> >>> ACCESS CONTROL FILES >>> The access control software consults two files. The search >>> stops at the first match: >>> - Access will be granted when a (daemon,client) pair >>> matches an entry in the /etc/hosts.allow file. >>> - Otherwise, access will be denied when a (daemon,client) >>> pair matches an entry in the /etc/hosts.deny file. >>> - Otherwise, access will be granted. >>> >>> doh! So, basically, when it sees sshd: ALL in hosts.allow, it stops >>> and allows access to everyone. It never even gets around to checking >>> the hosts.deny file. The fact that the login attempts stopped after >>> about an hour must have been purely coincidence. >>> >>> My intended purpose for those entires was to allow all sshd unless >>> they are in the deny file, but I also want to deny everything else >>> that doesn't have an explicit allow/deny rule. I don't think this is >>> possible using hosts.allow/hosts.deny unless I enumerate every >>> service. The deny ALL: ALL will deny me access to sshd. >>> >>> I essentially want it to work the other way around. Deny access by >>> default unless there is an allow rule. I don't think I can do that, >>> though. If I put ALL: ALL or sshd: ALL in the hosts.deny file, it will >>> deny ME access to my own machine. I don't want that. Since I don't >>> have a specific IP i will connect from, I can't allow any specific IP >>> (or else I'd be doing it that way already). >>> >>> How can I accomplish this?: >>> >>> Allow all ssh connections unless they are in hosts.deny >>> Deny all other connections unless they are in hosts.allow >>> >>> Thanks and sorry for the misdirection :) >>> Paul >>> >> >> After reading more, I see there is an EXCEPT rule as well.. so I can >> theoretically deny: >> >> ALL: ALL EXCEPT sshd >> and hopefully that will do what I was wanting... time to try it :) > > Sorry, i made a typo in my email. > > ALL EXCEPT sshd: ALL > > Tested and working. > > Paul > As a follow-up, using the fixed hosts.allow/deny rules & denyhosts with sync server enabled, it's working great. The majority of ssh connections are being blocked by the denyhosts data, and my own ssh connections are still working fine. :) I still plan to experiment with the more exotic approaches like iptables & portknocking but for now the simple hosts.deny method is working okay. thanks to all, Paul