Hello Peter,
On Mon, 7 Aug 2006, Peter Horst wrote:
> 1) Have received 3 "DenyHosts Reports" in the past day - each one
> containing one ip address (with the corresponding hostname, I enabled
> lookups). However, there are now over 800 ip addresses in my
> /etc/hosts.deny.
>
Apparently, you are using the sync download feature. DenyHosts doesn't
send out an email report for IP addresses that were downloaded from the
sync server. If it did, you'd be inundated with emails due to the number
of hackers out there. Also, the IP addresses added by the sync download
weren't a direct threat to your server so the info wouldn't be useful to
you. DenyHosts will only report IP addresses that it locally blocked--
since those hackers did attempt to directly compromise your server.
> 2) Also, logwatch reports many sshd authentication failures from various
> hosts, some several hundred times. Am I misunderstanding something
> basic? I am surprised to see so many failed attempts from the same hosts
> - my expectation was that once an address goes in /etc/hosts.deny, it
> would be blocked before it had a chance to make another (or several
> hundred more) bogus login attempts.
>
It's possible that the attackers aren't getting through at all. I
typically see logwatch entries that indicate that IP's were refused
immediately w/o ever failing to login-- which indicate to me that the sync
d/led ip addresses preemptively thwarted the attack. For example:
--------------------- SSHD Begin ------------------------
Failed logins from these:
alias/password from ::ffff:218.198.80.2: 4 Time(s)
Refused incoming connections:
::ffff:218.28.46.206 (::ffff:218.28.46.206): 4 Time(s)
::ffff:72.29.82.84 (::ffff:72.29.82.84): 2 Time(s)
::ffff:218.198.80.2 (::ffff:218.198.80.2): 1 Time(s)
---------------------- SSHD End -------------------------
218.28.46.206 and 72.29.82.84 were thwarted immediately since they were
never given the opportunity to login or enter their credentials because
those IP's were already in /etc/hosts.deny.
218.198.80.2 attempted to login 4 times before being blocked and then was
immediately rejected from further attempts.
So depending on which section the ip addresses are in within the logwatch
report, it may mean that the address wasn't even allowed to login -or- was
trying to login when he was eventually disallowed because the IP address
was added to /etc/hosts.deny.
If hackers are making hundreds of login attempts without being blocked
then either your DENY_THRESHOLD_* values are too low (mine are between 1
and 10) or your DAEMON_SLEEP value is too small (mine is "5s").
Regards,
Phil
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Denyhosts-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/denyhosts-user
