From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1LPOTH-0007fc-1P for garchives@archives.gentoo.org; Tue, 20 Jan 2009 21:49:19 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 65AB5E034F; Tue, 20 Jan 2009 21:49:16 +0000 (UTC) Received: from wa-out-1112.google.com (wa-out-1112.google.com [209.85.146.183]) by pigeon.gentoo.org (Postfix) with ESMTP id 36F8FE034F for ; Tue, 20 Jan 2009 21:49:16 +0000 (UTC) Received: by wa-out-1112.google.com with SMTP id m16so727135waf.2 for ; Tue, 20 Jan 2009 13:49:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=nlY38mmN3JoI8Ar+sh0OlT0X9ahSkMOaUU+8uYqdh70=; b=p6gUa+0OyzBw87L3nANx6wuoe1FI0UjTbEwy1t2V2gej4vl18OqeYbdws44GWs7cCp Wy+mmOiHeKdEDfmq2XerH9M+rsrnwGdYtwWdQL5nilqnyxV4vQjYGbRlKkbQsFFWkxP7 PDoC/enFikDRfqF7rZc4VlHvZCb1nzH6r9yBE= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=MYsqAebuWAOSt76bjDWyvxK34iuHY3G2+3gmQnRtJeENZRZ5JCLRHIr6yw5OiVKSie mX6dm3/4HCtlJDYoTfV6RfMcno8sRObWVUmUZ+M2Ecp2EoRvzF4/+wxuYWkkfSxsSwfc gm/gA2ZvqfKb5GFBu0dtXZ60W2qhHqolG29GA= Received: by 10.115.14.1 with SMTP id r1mr309238wai.27.1232488155811; Tue, 20 Jan 2009 13:49:15 -0800 (PST) Received: by 10.114.57.12 with HTTP; Tue, 20 Jan 2009 13:49:15 -0800 (PST) Message-ID: Date: Tue, 20 Jan 2009 16:49:15 -0500 From: "Joshua Murphy" To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Why isn't sshd blocking repeated failed login attempts? In-Reply-To: <58965d8a0901201333j458b57e8hde9fe4c857e00e2c@mail.gmail.com> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <58965d8a0901201333j458b57e8hde9fe4c857e00e2c@mail.gmail.com> X-Archives-Salt: e15f1544-a1a1-45fd-a185-fb013c3cfbea X-Archives-Hash: 660cc6bd367e7989f2dd42fda32c9145 On Tue, Jan 20, 2009 at 4:33 PM, Paul Hartman wrote: > Hi, > > After setting up public key authentication i changed my sshd back to > port 22 and got the expected bombardment of connection attempts. > However, it doesn't seem to ever stop them. I'm using sshd with this > setting: > > MaxAuthTries 3 > > in my /etc/ssh/sshd_config > > So, why does it allow unlimited failed login attempts? For example, as > I write this I'm seeing this in my logs: > > > I'm using denyhosts but it seems that it doesn't deny anyone until an > hour has passed, despite the fact I'm using the daemon which > constantly monitors the log file... by which time hundreds or > thousands of attempts can be made. Maybe that's a configuration issue > on my denyhosts setup, but shouldn't sshd be blocking them in the > first place? > > Thanks, > Paul I'm pretty sure MaxAuthTries 3 does nothing more than disconnect you after 3 failed connections (meaning all you have to do is reconnect to keep trying)... it doesn't do any sort of 'intelligent' protection of the system. DenyHosts worked great for me while I used it, but I also found that a firewall rule limiting connection attempts to 3 per source IP per 10 minute period put a big dent in the number of tries that denyhosts ever even had to see (though they were always enough to get that source blacklisted, I had things set rather restrictive). Something I was pointed towards on IRC, in the event that the SSH server you're running is primarily for your use or the use of knowledgeable users (fellow admins)... look up Single Packet Authorization (SPA). -- Poison [BLX] Joshua M. Murphy