Hi all, Being very satisfied with my freshly installed denyhosts, I am already becoming greedy. As Lars Behrens pointed out to this list in 2008, a typical attack looks like this:
Aug 29 18:42:14 kuratowski sshd[36849]: Did not receive identification string from 219.140.165.74 Aug 29 18:47:00 kuratowski sshd[36856]: User root from 219.140.165.74 not allowed because not listed in AllowUsers After this the usual attack goes on using a dictionary of user names until the denyhosts daemon wakes up and puts an end to this. Note the 5 minute gap between the first connect which I read as a verification of an actual sshd listening on port 22, and the attack itself. Therfore my guess is that denyhosts should be easily capable to respond to such an attack early even with a quite liberal DAEMON_SLEEP value. Any ideas? Shouldn't the DH daemon when waking up during an attack notice the fist connect and include it in the DENY_THRESHOLD_* count? Am I right that the first and second connect above are handled differently by DH because the first one does not yield a user name? Thanks, Olf ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Denyhosts-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/denyhosts-user
