Package: denyhosts Version: 2.6-1 Severity: normal Please consider brand new installation of denyhosts, not run, with following configuration: SECURE_LOG = /var/log/auth.log HOSTS_DENY = /var/local/ssh-denyhosts.txt PURGE_DENY = 15w PURGE_THRESHOLD = 2 BLOCK_SERVICE = DENY_THRESHOLD_INVALID = 5 DENY_THRESHOLD_VALID = 10 DENY_THRESHOLD_ROOT = 3 DENY_THRESHOLD_RESTRICTED = 1 WORK_DIR = /var/lib/denyhosts SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES HOSTNAME_LOOKUP=YES LOCK_FILE = /var/run/denyhosts.pid ADMIN_EMAIL = [EMAIL PROTECTED] SMTP_HOST = localhost SMTP_PORT = 25 SMTP_FROM = DenyHosts from blabluga <[EMAIL PROTECTED]> SMTP_SUBJECT = DenyHosts Report SYSLOG_REPORT=YES AGE_RESET_VALID=5d AGE_RESET_ROOT=25d AGE_RESET_RESTRICTED=25d AGE_RESET_INVALID=10d PLUGIN_DENY=/usr/local/bin/dropssh DAEMON_LOG = /var/log/denyhosts DAEMON_SLEEP = 30s DAEMON_PURGE = 1h
And /usr/local/bin/dropssh containing: iptables -t filter -A ssh-deny -s $1 -j DROP echo `date` $1 >> /tmp/denied-log.txt All files related to denyhosts are empty: blabluga:~# ls -l /var/local/ssh-denyhosts.txt /var/lib/denyhosts/* /tmp/denied-log.txt -rw-r--r-- 1 root root 0 Jun 24 16:36 /tmp/denied-log.txt -rw-r--r-- 1 root root 0 Jun 24 16:11 /var/lib/denyhosts/hosts -rw-r--r-- 1 root root 0 Jun 24 16:11 /var/lib/denyhosts/hosts-restricted -rw-r--r-- 1 root root 0 Jun 24 16:11 /var/lib/denyhosts/hosts-root -rw-r--r-- 1 root root 0 Jun 24 16:11 /var/lib/denyhosts/hosts-valid -rw-r--r-- 1 root root 0 Jun 24 16:11 /var/lib/denyhosts/offset -rw-r--r-- 1 root root 0 Jun 24 16:09 /var/lib/denyhosts/suspicious-logins -rw-r--r-- 1 root root 0 Jun 24 16:11 /var/lib/denyhosts/users-hosts -rw-r--r-- 1 root root 0 Jun 24 16:11 /var/lib/denyhosts/users-invalid -rw-r--r-- 1 root root 0 Jun 24 16:12 /var/lib/denyhosts/users-valid -rw-r--r-- 1 root staff 0 Jun 24 16:32 /var/local/ssh-denyhosts.txt After starting the daemon situation is as follows. I received an email with report: Added the following hosts to /var/local/ssh-denyhosts.txt: 222.240.131.82 (unknown) 125.71.31.222 (unknown) 142.59.92.133 (sugar.pinnaclesecurity.ca) Indeed, those three IPs are in the file. Plugin has been run and IPs are added into ssh-deny chain: blabluga:~# iptables -L ssh-deny -n Chain ssh-deny (1 references) target prot opt source destination DROP 0 -- 222.240.131.82 0.0.0.0/0 DROP 0 -- 125.71.31.222 0.0.0.0/0 DROP 0 -- 142.59.92.133 0.0.0.0/0 and debug info has been logged into /tmp/denied-log.txt: blabluga:~# cat /tmp/denied-log.txt Sun Jun 24 16:38:40 CEST 2007 222.240.131.82 Sun Jun 24 16:38:40 CEST 2007 125.71.31.222 Sun Jun 24 16:38:40 CEST 2007 142.59.92.133 So, let's wait for another brute force attack... I've got another mail: Added the following hosts to /var/local/ssh-denyhosts.txt: 61.95.206.237 (dsl-KK-static-237.206.95.61.airtelbroadband.in) There are four entries in /var/local/ssh-denyhosts.txt, but let's see, what's happened. blabluga:~# iptables -L ssh-deny -n Chain ssh-deny (1 references) target prot opt source destination DROP 0 -- 222.240.131.82 0.0.0.0/0 DROP 0 -- 125.71.31.222 0.0.0.0/0 DROP 0 -- 142.59.92.133 0.0.0.0/0 DROP 0 -- 61.95.206.237 0.0.0.0/0 DROP 0 -- 222.240.131.82 0.0.0.0/0 DROP 0 -- 125.71.31.222 0.0.0.0/0 DROP 0 -- 142.59.92.133 0.0.0.0/0 blabluga:~# cat /tmp/denied-log.txt Sun Jun 24 16:38:40 CEST 2007 222.240.131.82 Sun Jun 24 16:38:40 CEST 2007 125.71.31.222 Sun Jun 24 16:38:40 CEST 2007 142.59.92.133 Sun Jun 24 18:19:12 CEST 2007 61.95.206.237 Sun Jun 24 18:19:12 CEST 2007 222.240.131.82 Sun Jun 24 18:19:12 CEST 2007 125.71.31.222 Sun Jun 24 18:19:12 CEST 2007 142.59.92.133 It looks like the PLUGIN_DENY has been called with recently blocked IP and, additionally, with all previously blocked IPs. -- System Information: Debian Release: 4.0 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.18-4-686 Locale: LANG=C, LC_CTYPE=pl_PL (charmap=ISO-8859-2) Versions of packages denyhosts depends on: ii lsb-base 3.1-23.1 Linux Standard Base 3.1 init scrip ii python 2.4.4-2 An interactive high-level object-o ii python-central 0.5.12 register and build utility for Pyt denyhosts recommends no packages. -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
