Looking at the log around the time when I got my recent denyhosts report and what's in /var/log/secure, I think this is what peeved denyhosts:
Jan 17 14:10:29 n32 sshd[5639]: Accepted publickey for root from 192.168.1.254 port 46254 ssh2 Jan 17 14:12:35 ahui sshd[29625]: Read error from remote host 1<ip address>56.85: Connection timed out Jan 17 14:12:41 ahui sshd[25080]: Connection from 1<ip>6 port 60037 Jan 17 14:12:41 ahui sshd[25080]: Connection closed by 12<ip> Jan 17 14:15:01 ahui sshd[25131]: Connection from 12ip.26 port 55104 My working hypothesis right now is that this means that whenever someone logs in to my host and then leaves the connection idle for a while, the host times out the connection and writes a log entry about it, and denyhosts sees the log entry and puts the offending host on the black list. Is there a way for me to tell denyhosts to ignore the 'read error' log entry? I guess I could also attack it by trying to prevent anyone from ever getting timed out, whic h would actually make more sense. I guess I need to RTFM and figure out what is timing out and try to fix it. thanks, Dave On Jan 17, 2008 2:44 PM, Phil Schwartz <[EMAIL PROTECTED]> wrote: > > > First thing you should do Dave is to run DH in --debug mode: > > /etc/init.d/denyhosts restart --debug > > then: > > tail -f /var/log/denyhosts > > Observe the output of when people attempt to login via ssh. That should > offer clues to what DH is (or isn't) doing. > > Also, at the bottom of the DH homepage there is a section: "Need Help?" > which details the info I would need in order to troubleshoot the regex'es. > > Regards, > > Phil > > > > > On Thu, 17 Jan 2008, David Burns wrote: > > > I suspect that my log is in an unusual format. What sort of steps > > should I take to troubleshoot? Is there a doc somewhere I've > > overlooked that explains what denyhosts looks for in the logs, and > > what it ignores, and how to make it more verbose, etc.? Symptom seems > > to be that it eventually denies everyone. I've white-listed our local > > machines, but whenever someone tries to ssh in from outside our local > > net there is trouble. > > Thanks, > > Dave > > > > On Jan 9, 2008 12:57 PM, Phil Schwartz > > <[EMAIL PROTECTED]> wrote: > >> > >> Check the files in your DH WORK_DIR (grep them) for one of the subnodes. > >> The number after the : indicates the number of hack attempts DH detected. > >> If this number seems incorrect, check your SECURE_LOG for that IP address > >> to determine if they were legit or not. If DH incorrectly identified them > >> as attacks then your SECURE_LOG is likely in an unusual format. > >> > >> You may also want to stop DH, remove the IP address(es) from the WORK_DIR > >> files, and the IP's to WORK_DIR/allowed-hosts and restart DH. > >> > >> Regards, > >> > >> Phil > >> > >> > >> On Wed, 9 Jan 2008, David Burns wrote: > >> > >>> I have a cluster master node running denyhosts (Thanks!), but I am > >>> confused because some of the subnodes get denied. I've put them into > >>> /etc/hosts.allow, so they don't actually lose access, but I do still > >>> get reports about them. Is there some documentation somewhere that > >>> would explain what to look for to find out what these nodes are doing > >>> that sets off denyhosts? I am pretty sure that there are no hackers > >>> with access to the subnodes trying to hack the master node - they're > >>> wired such that the only way to get to the nodes is through the > >>> master! > >>> Thanks in advance, > >>> Dave > >>> > >>> ------------------------------------------------------------------------- > >>> Check out the new SourceForge.net Marketplace. > >>> It's the best place to buy or sell services for > >>> just about anything Open Source. > >>> http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace > >>> _______________________________________________ > >>> Denyhosts-user mailing list > >>> [email protected] > >>> https://lists.sourceforge.net/lists/listinfo/denyhosts-user > >>> > >> > >> -- > >> Regards, > >> > >> Phil Schwartz > >> - http://www.phil-schwartz.com > >> > >> Open Source Projects: > >> - DenyHosts: http://www.denyhosts.net > >> - Kodos: http://kodos.sourceforge.net > >> - ReleaseForge: http://releaseforge.sourceforge.net > >> - Scratchy: http://scratchy.sourceforge.net > >> - FAQtor: http://faqtor.sourceforge.net > >> > > > > ------------------------------------------------------------------------- > > This SF.net email is sponsored by: Microsoft > > Defy all challenges. Microsoft(R) Visual Studio 2008. > > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > > > _______________________________________________ > > Denyhosts-user mailing list > > [email protected] > > https://lists.sourceforge.net/lists/listinfo/denyhosts-user > > > > -- > Regards, > > Phil Schwartz > - http://www.phil-schwartz.com > > Open Source Projects: > - DenyHosts: http://www.denyhosts.net > - Kodos: http://kodos.sourceforge.net > - ReleaseForge: http://releaseforge.sourceforge.net > - Scratchy: http://scratchy.sourceforge.net > - FAQtor: http://faqtor.sourceforge.net > ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Denyhosts-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/denyhosts-user
