Kyle Claisse wrote: > I have been running DenyHosts for about few weeks now and it has more or > less done it's job. But just recently I noticed on my daily logwatches > that a few ip's were not being denied. I set the maximum number of tries > for any user name to be 3. But my logs clearly show more tries coming from > ip's. [snip] > sshd: > Authentication Failures: > unknown (137.82.206.83): 13 Time(s) > root (64.34.105.116): 7 Time(s) > unknown (222.91.92.185): 3 Time(s) > unknown (host188-178-static.189-82-b.business.telecomitalia.it): 3 > Time(s) > root (211.98.88.125): 1 Time(s) > Invalid Users: > Unknown Account: 19 Time(s) > > > Notice that one of the ip's (137.82.206.83) has 13 logins failures. Whats > up with that?
It depends on the scan time, if you scan say every 15 seconds and the attacker is going at 1 per second, then the mean case will try about 8 times, the worst case will try 15 or probably 16 because of the time it takes DenyHosts to add the entry and sshd to pick it up. It will rarely ever be stopped at 3, which is the best case and only will happen if the attacker is going real slow. > OK Now just in case I would like to not that this is my first post in a > sourceforge mailing list or any mailing list for that matter. I hope it > went right. Looks fine ;-) -- René Berber ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Denyhosts-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/denyhosts-user
