denyhosts 2.6 is sometimes reporting the same denied host over &
over & over again.
E.g., right now, it is reporting these hosts
d198-53-142-15.abhsia.telus.net
mail3.cjos.in
again & again.
I got some of these a number of months ago, then none for quite a
while, and now I'm getting them again.
denyhosts will keep on adding the host until $PURGE_DENY time has
passed (at which point it will delete all of them from $HOSTS_DENY).
Just starting & stopping denyhosts does not seem to make any
difference.
To stop one repeated hostname, I have to stop denyhosts, remove the
hostname from $WORK_DIR/hosts*, remove all but the first entry from
$HOSTS_DENY, and start denyhosts again.
Any thoughts of where to look for this bug?
I turned on --debug and see this sort of thing in the log:
2009-01-24 15:10:29,930 - denyhosts : DEBUG /var/log/auth has additional
data
2009-01-24 15:10:30,039 - denyhosts : DEBUG user: danile - host:
67.92.159.123 - success: 1 - invalid: 0
2009-01-24 15:10:30,151 - denyhosts : DEBUG new hosts: ['mail3.cjos.in',
'd198-53-142-15.abhsia.telus.net']
2009-01-24 15:10:30,151 - report : DEBUG get_host: mail3.cjos.in
2009-01-24 15:10:30,151 - report : DEBUG get_host:
d198-53-142-15.abhsia.telus.net
2009-01-24 15:10:30,151 - denyhosts : INFO new denied hosts:
['mail3.cjos.in', 'd198-53-142-15.abhsia.telus.net']
2009-01-24 15:10:30,152 - denyhosts : DEBUG no new suspicious logins
2009-01-24 15:10:30,190 - util : DEBUG sent email to: denylog
2009-01-24 15:12:30,205 - denyhosts : DEBUG /var/log/auth has additional
data
2009-01-24 15:12:30,325 - denyhosts : DEBUG user: danile - host:
67.92.159.123 - success: 1 - invalid: 0
2009-01-24 15:12:30,435 - denyhosts : DEBUG new hosts: ['mail3.cjos.in',
'd198-53-142-15.abhsia.telus.net']
2009-01-24 15:12:30,436 - report : DEBUG get_host: mail3.cjos.in
2009-01-24 15:12:30,436 - report : DEBUG get_host:
d198-53-142-15.abhsia.telus.net
2009-01-24 15:12:30,436 - denyhosts : INFO new denied hosts:
['mail3.cjos.in', 'd198-53-142-15.abhsia.telus.net']
2009-01-24 15:12:30,436 - denyhosts : DEBUG no new suspicious logins
2009-01-24 15:12:30,462 - util : DEBUG sent email to: denylog
I first saw d198-53-142-15.abhsia.telus.net on Fri Jan 23 00:01:23 2009
and so far denyhosts has added it 1160 times to $HOSTS_DENY.
I first saw mail3.cjos.in on Sat Jan 24 07:08:41 2009
and so far denyhosts has added it 57 times to $HOSTS_DENY.
My config file is below.
This is under FreeBSD 6.3 using the FreeBSD ports install of denyhosts-2.6_1.
--asp
SECURE_LOG = /var/log/auth
HOSTS_DENY = /etc/hosts.deniedssh
PURGE_DENY = 1w
BLOCK_SERVICE =
DENY_THRESHOLD_INVALID = 5
DENY_THRESHOLD_VALID = 10
DENY_THRESHOLD_ROOT = 1
DENY_THRESHOLD_RESTRICTED = 1
WORK_DIR = /usr/local/share/denyhosts/data
SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES
HOSTNAME_LOOKUP=YES
LOCK_FILE = /var/run/denyhosts.pid
ADMIN_EMAIL = denylog
SMTP_HOST = localhost
SMTP_PORT = 25
SMTP_FROM = DenyHosts <nob...@localhost>
SMTP_SUBJECT = DenyHosts Report
SYSLOG_REPORT=YES
AGE_RESET_VALID=5d
AGE_RESET_ROOT=25d
AGE_RESET_RESTRICTED=25d
AGE_RESET_INVALID=10d
FAILED_ENTRY_REGEX7 = User (?P<user>.*) from (?P<host>.*) not allowed because
not listed in AllowUsers$
DAEMON_LOG = /var/log/denyhosts
DAEMON_SLEEP = 30s
DAEMON_PURGE = 1h
------------------------------------------------------------------------------
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword
_______________________________________________
Denyhosts-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/denyhosts-user
