You can set your denyhosts configuration to disallow all sshd logins to the root account with a short daemon sleep period. I do this and it works just fine. (I can do this because I have absolutely no reason to login in remotely with the root account, you might not be so fortunate.) --Robert
Olaf Klinke wrote: > Hi all, > Being very satisfied with my freshly installed denyhosts, I am > already becoming greedy. As Lars Behrens pointed out to this list > in 2008, a typical attack looks like this: > > Aug 29 18:42:14 kuratowski sshd[36849]: Did not receive identification > string from 219.140.165.74 > Aug 29 18:47:00 kuratowski sshd[36856]: User root from 219.140.165.74 > not allowed because not listed in AllowUsers > > After this the usual attack goes on using a dictionary of user names > until the denyhosts daemon wakes up and puts an end to this. > Note the 5 minute gap between the first connect which I read as a > verification of an actual sshd listening on port 22, and the attack > itself. > > Therfore my guess is that denyhosts should be easily capable to > respond to such an attack early even with a quite liberal > DAEMON_SLEEP value. Any ideas? Shouldn't the DH daemon when waking > up during an attack notice the fist connect and include it in the > DENY_THRESHOLD_* count? > > Am I right that the first and second connect above are handled > differently by DH because the first one does not yield a user name? > > Thanks, > Olf ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Denyhosts-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/denyhosts-user
