Here's an interesting example: /var/log/denyhosts says: 2008-01-17 14:42:58,064 - denyhosts : INFO new denied hosts: ['some ip']
/var/log/messages says: Jan 17 14:42:23 ahui sshd[28408]: Connection from same ip port 2700 Jan 17 14:42:23 ahui sshd[28408]: Failed none for user from same ip port 2700 ssh2 Jan 17 14:42:23 ahui sshd[28408]: Failed none for user from same ip port 2700 ssh2 Jan 17 14:42:28 ahui sshd[28408]: Accepted password for user from ip port 2700 Maybe this weird 'failed none' jazz is confusing denyhosts? Dave On Jan 21, 2008 1:36 PM, Phil Schwartz <[EMAIL PROTECTED]> wrote: > > Not necessarily... The regex'es that DH uses by default shouldn't match > most of those. Check your /var/log/denyhosts for entries around those > times to see if it actually blocked someone. > > Regards, > > Phil > > > On Mon, 21 Jan 2008, David Burns wrote: > > > Looking at the log around the time when I got my recent denyhosts > > report and what's in /var/log/secure, I think this is what peeved > > denyhosts: > > > > Jan 17 14:10:29 n32 sshd[5639]: Accepted publickey for root from > > 192.168.1.254 port 46254 ssh2 > > Jan 17 14:12:35 ahui sshd[29625]: Read error from remote host 1<ip > > address>56.85: Connection timed out > > Jan 17 14:12:41 ahui sshd[25080]: Connection from 1<ip>6 port 60037 > > Jan 17 14:12:41 ahui sshd[25080]: Connection closed by 12<ip> > > Jan 17 14:15:01 ahui sshd[25131]: Connection from 12ip.26 port 55104 > > > > My working hypothesis right now is that this means that whenever > > someone logs in to my host and then leaves the connection idle for a > > while, the host times out the connection and writes a log entry about > > it, and denyhosts sees the log entry and puts the offending host on > > the black list. Is there a way for me to tell denyhosts to ignore the > > 'read error' log entry? I guess I could also attack it by trying to > > prevent anyone from ever getting timed out, whic h would actually make > > more sense. I guess I need to RTFM and figure out what is timing out > > and try to fix it. > > > > thanks, > > Dave > > > > > > On Jan 17, 2008 2:44 PM, Phil Schwartz > > <[EMAIL PROTECTED]> wrote: > >> > >> > >> First thing you should do Dave is to run DH in --debug mode: > >> > >> /etc/init.d/denyhosts restart --debug > >> > >> then: > >> > >> tail -f /var/log/denyhosts > >> > >> Observe the output of when people attempt to login via ssh. That should > >> offer clues to what DH is (or isn't) doing. > >> > >> Also, at the bottom of the DH homepage there is a section: "Need Help?" > >> which details the info I would need in order to troubleshoot the regex'es. > >> > >> Regards, > >> > >> Phil > >> > >> > >> > >> > >> On Thu, 17 Jan 2008, David Burns wrote: > >> > >>> I suspect that my log is in an unusual format. What sort of steps > >>> should I take to troubleshoot? Is there a doc somewhere I've > >>> overlooked that explains what denyhosts looks for in the logs, and > >>> what it ignores, and how to make it more verbose, etc.? Symptom seems > >>> to be that it eventually denies everyone. I've white-listed our local > >>> machines, but whenever someone tries to ssh in from outside our local > >>> net there is trouble. > >>> Thanks, > >>> Dave > >>> > >>> On Jan 9, 2008 12:57 PM, Phil Schwartz > >>> <[EMAIL PROTECTED]> wrote: > >>>> > >>>> Check the files in your DH WORK_DIR (grep them) for one of the subnodes. > >>>> The number after the : indicates the number of hack attempts DH detected. > >>>> If this number seems incorrect, check your SECURE_LOG for that IP address > >>>> to determine if they were legit or not. If DH incorrectly identified > >>>> them > >>>> as attacks then your SECURE_LOG is likely in an unusual format. > >>>> > >>>> You may also want to stop DH, remove the IP address(es) from the WORK_DIR > >>>> files, and the IP's to WORK_DIR/allowed-hosts and restart DH. > >>>> > >>>> Regards, > >>>> > >>>> Phil > >>>> > >>>> > >>>> On Wed, 9 Jan 2008, David Burns wrote: > >>>> > >>>>> I have a cluster master node running denyhosts (Thanks!), but I am > >>>>> confused because some of the subnodes get denied. I've put them into > >>>>> /etc/hosts.allow, so they don't actually lose access, but I do still > >>>>> get reports about them. Is there some documentation somewhere that > >>>>> would explain what to look for to find out what these nodes are doing > >>>>> that sets off denyhosts? I am pretty sure that there are no hackers > >>>>> with access to the subnodes trying to hack the master node - they're > >>>>> wired such that the only way to get to the nodes is through the > >>>>> master! > >>>>> Thanks in advance, > >>>>> Dave > >>>>> > >>>>> ------------------------------------------------------------------------- > >>>>> Check out the new SourceForge.net Marketplace. > >>>>> It's the best place to buy or sell services for > >>>>> just about anything Open Source. > >>>>> http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace > >>>>> _______________________________________________ > >>>>> Denyhosts-user mailing list > >>>>> [email protected] > >>>>> https://lists.sourceforge.net/lists/listinfo/denyhosts-user > >>>>> > >>>> > >>>> -- > >>>> Regards, > >>>> > >>>> Phil Schwartz > >>>> - http://www.phil-schwartz.com > >>>> > >>>> Open Source Projects: > >>>> - DenyHosts: http://www.denyhosts.net > >>>> - Kodos: http://kodos.sourceforge.net > >>>> - ReleaseForge: http://releaseforge.sourceforge.net > >>>> - Scratchy: http://scratchy.sourceforge.net > >>>> - FAQtor: http://faqtor.sourceforge.net > >>>> > >>> > >>> ------------------------------------------------------------------------- > >>> This SF.net email is sponsored by: Microsoft > >>> Defy all challenges. Microsoft(R) Visual Studio 2008. > >>> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > >> > >>> _______________________________________________ > >>> Denyhosts-user mailing list > >>> [email protected] > >>> https://lists.sourceforge.net/lists/listinfo/denyhosts-user > >>> > >> > >> -- > >> Regards, > >> > >> Phil Schwartz > >> - http://www.phil-schwartz.com > >> > >> Open Source Projects: > >> - DenyHosts: http://www.denyhosts.net > >> - Kodos: http://kodos.sourceforge.net > >> - ReleaseForge: http://releaseforge.sourceforge.net > >> - Scratchy: http://scratchy.sourceforge.net > >> - FAQtor: http://faqtor.sourceforge.net > >> > > > > ------------------------------------------------------------------------- > > This SF.net email is sponsored by: Microsoft > > Defy all challenges. Microsoft(R) Visual Studio 2008. > > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > > _______________________________________________ > > Denyhosts-user mailing list > > [email protected] > > https://lists.sourceforge.net/lists/listinfo/denyhosts-user > > > > -- > Regards, > > Phil Schwartz > - http://www.phil-schwartz.com > > Open Source Projects: > - DenyHosts: http://www.denyhosts.net > - Kodos: http://kodos.sourceforge.net > - ReleaseForge: http://releaseforge.sourceforge.net > - Scratchy: http://scratchy.sourceforge.net > - FAQtor: http://faqtor.sourceforge.net > ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Denyhosts-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/denyhosts-user
