Try changing your sshd_config file (typically in /etc/ssh/) from UseDNS yes
to UseDNS no and restarting the ssh server. DenyHosts works best when sshd logs ip addresses rather than hostnames. Other than that, I'm not too sure why duplicates would be added, that certainly isn't normal behavior. I did notice in the link you posted that user too had "UseDNS yes" so that may be the culprit. Almost all DH users, AFAIK, have "UseDNS no". Regards, Phil On Fri, 30 Oct 2009, Karel J. Bosschaart wrote: > Hi all, > > Since a while I'm using denyhosts 2.6 on FreeBSD 6.4, with python 2.6. > > It worked fine until at some point, after a couple of days, denyhosts > triggers on almost any entry in /var/log/auth.log to add the same hosts > to /etc/hosts.deniedssh over and over again. > > It seems very similar to the problems described here (also on FreeBSD): > http://www.mail-archive.com/[email protected]/msg00623.html > http://serverfault.com/questions/18770/how-can-i-prevent-denyhosts-from-adding-the-same-host-to-the-denied-file-over-and > but no solution is provided there :-(. > > Example: following entry in /var/log/auth.log: >> Oct 30 19:58:11 shell ftpd[66155]: FTP LOGIN FAILED FROM 211.154.254.247, >> Administrator > (happens to be an ftp attempt at the moment) > triggers denyhosts to add new hosts: >> 2009-10-30 19:58:16,098 - denyhosts : INFO new denied hosts: >> ['lvps87-230-78-78.dedicated.hosteurope.de', 'ns1.kevinro.ro', >> '11.232-136-217.adsl-static.isp.belgacom.be', >> 'hsi-kbw-078-043-171-159.hsi4.kabel-badenwuerttemberg.de', >> '77-20-157-105-dynip.superkabel.de', >> '227.138-78-194.adsl-static.isp.belgacom.be', >> '158.3-66-87.adsl-static.isp.belgacom.be', >> 'lvps87-230-78-177.dedicated.hosteurope.de'] > while those hosts are already in /etc/hosts.deniedssh. In fact they're > not even in the current /var/log/auth.log as they are rotated away > already, so for some reason denyhosts must get them from the workdir. > BTW, in the workdir all hosts are listed in the hosts file correctly > only one time. > > As a result, my /etc/hosts.deniedssh now contains 13652 entries, but > only 517 of them are unique: > > grep -v DenyHosts /etc/hosts.deniedssh | wc -l > 13652 > grep -v DenyHosts /etc/hosts.deniedssh | sort -u | wc -l > 517 > > I hope someone has an idea where to look further. The startup log is > provided below (admin email address scrambled on purpose). > > Regards, > Karel. > > >> 2009-10-30 19:51:04,512 - denyhosts : INFO DenyHosts daemon is >> shutting down >> 2009-10-30 19:51:15,837 - denyhosts : INFO DenyHosts launched with the >> following args: >> 2009-10-30 19:51:15,990 - denyhosts : INFO >> /usr/local/bin/denyhosts.py --purge --config /usr/local/etc/denyhosts.conf >> --daemon >> 2009-10-30 19:51:15,993 - prefs : INFO DenyHosts configuration >> settings: >> 2009-10-30 19:51:15,995 - prefs : INFO ADMIN_EMAIL: [...@***.**] >> 2009-10-30 19:51:15,998 - prefs : INFO AGE_RESET_INVALID: >> [864000] >> 2009-10-30 19:51:16,000 - prefs : INFO AGE_RESET_RESTRICTED: >> [2160000] >> 2009-10-30 19:51:16,003 - prefs : INFO AGE_RESET_ROOT: [2160000] >> 2009-10-30 19:51:16,005 - prefs : INFO AGE_RESET_VALID: [432000] >> 2009-10-30 19:51:16,008 - prefs : INFO >> ALLOWED_HOSTS_HOSTNAME_LOOKUP: [no] >> 2009-10-30 19:51:16,010 - prefs : INFO BLOCK_SERVICE: [None] >> 2009-10-30 19:51:16,013 - prefs : INFO DAEMON_LOG: >> [/var/log/denyhosts] >> 2009-10-30 19:51:16,015 - prefs : INFO >> DAEMON_LOG_MESSAGE_FORMAT: [%(asctime)s - %(name)-12s: %(levelname)-8s >> %(message)s] >> 2009-10-30 19:51:16,019 - prefs : INFO DAEMON_LOG_TIME_FORMAT: >> [None] >> 2009-10-30 19:51:16,022 - prefs : INFO DAEMON_PURGE: [3600] >> 2009-10-30 19:51:16,024 - prefs : INFO DAEMON_SLEEP: [30] >> 2009-10-30 19:51:16,027 - prefs : INFO DENY_THRESHOLD_INVALID: >> [5] >> 2009-10-30 19:51:16,029 - prefs : INFO >> DENY_THRESHOLD_RESTRICTED: [1] >> 2009-10-30 19:51:16,032 - prefs : INFO DENY_THRESHOLD_ROOT: [1] >> 2009-10-30 19:51:16,034 - prefs : INFO DENY_THRESHOLD_VALID: >> [10] >> 2009-10-30 19:51:16,037 - prefs : INFO FAILED_ENTRY_REGEX: >> [None] >> 2009-10-30 19:51:16,039 - prefs : INFO FAILED_ENTRY_REGEX2: >> [None] >> 2009-10-30 19:51:16,042 - prefs : INFO FAILED_ENTRY_REGEX3: >> [None] >> 2009-10-30 19:51:16,044 - prefs : INFO FAILED_ENTRY_REGEX4: >> [None] >> 2009-10-30 19:51:16,047 - prefs : INFO FAILED_ENTRY_REGEX5: >> [None] >> 2009-10-30 19:51:16,049 - prefs : INFO FAILED_ENTRY_REGEX6: >> [None] >> 2009-10-30 19:51:16,052 - prefs : INFO FAILED_ENTRY_REGEX7: >> [None] >> 2009-10-30 19:51:16,054 - prefs : INFO HOSTNAME_LOOKUP: [NO] >> 2009-10-30 19:51:16,057 - prefs : INFO HOSTS_DENY: >> [/etc/hosts.deniedssh] >> 2009-10-30 19:51:16,059 - prefs : INFO LOCK_FILE: >> [/var/run/denyhosts.pid] >> 2009-10-30 19:51:16,062 - prefs : INFO PLUGIN_DENY: [None] >> 2009-10-30 19:51:16,064 - prefs : INFO PLUGIN_PURGE: [None] >> 2009-10-30 19:51:16,067 - prefs : INFO PURGE_DENY: [172800] >> 2009-10-30 19:51:16,069 - prefs : INFO PURGE_THRESHOLD: [2] >> 2009-10-30 19:51:16,072 - prefs : INFO RESET_ON_SUCCESS: [no] >> 2009-10-30 19:51:16,075 - prefs : INFO SECURE_LOG: >> [/var/log/auth.log] >> 2009-10-30 19:51:16,077 - prefs : INFO SMTP_DATE_FORMAT: [%a, >> %d %b %Y %H:%M:%S %z] >> 2009-10-30 19:51:16,080 - prefs : INFO SMTP_FROM: [DenyHosts >> <*...@***.**>] >> 2009-10-30 19:51:16,082 - prefs : INFO SMTP_HOST: [localhost] >> 2009-10-30 19:51:16,085 - prefs : INFO SMTP_PASSWORD: [None] >> 2009-10-30 19:51:16,087 - prefs : INFO SMTP_PORT: [25] >> 2009-10-30 19:51:16,090 - prefs : INFO SMTP_SUBJECT: [DenyHosts >> Report] >> 2009-10-30 19:51:16,092 - prefs : INFO SMTP_USERNAME: [None] >> 2009-10-30 19:51:16,095 - prefs : INFO SSHD_FORMAT_REGEX: [None] >> 2009-10-30 19:51:16,097 - prefs : INFO SUCCESSFUL_ENTRY_REGEX: >> [None] >> 2009-10-30 19:51:16,100 - prefs : INFO >> SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS: [YES] >> 2009-10-30 19:51:16,102 - prefs : INFO SYNC_DOWNLOAD: [yes] >> 2009-10-30 19:51:16,105 - prefs : INFO >> SYNC_DOWNLOAD_RESILIENCY: [18000] >> 2009-10-30 19:51:16,107 - prefs : INFO SYNC_DOWNLOAD_THRESHOLD: >> [3] >> 2009-10-30 19:51:16,110 - prefs : INFO SYNC_INTERVAL: [3600] >> 2009-10-30 19:51:16,112 - prefs : INFO SYNC_SERVER: [None] >> 2009-10-30 19:51:16,115 - prefs : INFO SYNC_UPLOAD: [yes] >> 2009-10-30 19:51:16,117 - prefs : INFO SYSLOG_REPORT: [no] >> 2009-10-30 19:51:16,120 - prefs : INFO >> USERDEF_FAILED_ENTRY_REGEX: [authentication error for (?P<user>.*) .*from >> (?P<host>.*)] >> 2009-10-30 19:51:16,122 - prefs : INFO WORK_DIR: >> [/usr/local/share/denyhosts/data] >> 2009-10-30 19:51:16,160 - denyhosts : INFO restricted: set([]) >> 2009-10-30 19:51:19,021 - denyhosts : INFO Processing log file >> (/var/log/auth.log) from offset (109206) >> 2009-10-30 19:51:23,779 - denyhosts : INFO new denied hosts: >> ['lvps87-230-78-78.dedicated.hosteurope.de', 'ns1.kevinro.ro', >> '11.232-136-217.adsl-static.isp.belgacom.be', >> 'hsi-kbw-078-043-171-159.hsi4.kabel-badenwuerttemberg.de', >> '77-20-157-105-dynip.superkabel.de', >> '227.138-78-194.adsl-static.isp.belgacom.be', >> '158.3-66-87.adsl-static.isp.belgacom.be', >> 'lvps87-230-78-177.dedicated.hosteurope.de'] >> 2009-10-30 19:51:24,344 - denyhosts : INFO launching DenyHosts daemon >> (version 2.6)... >> 2009-10-30 19:51:24,417 - denyhosts : INFO DenyHosts daemon is now >> running, pid: 62926 >> 2009-10-30 19:51:24,427 - denyhosts : INFO send daemon process a TERM >> signal to terminate cleanly >> 2009-10-30 19:51:24,430 - denyhosts : INFO eg. kill -TERM 62926 >> 2009-10-30 19:51:24,442 - denyhosts : INFO monitoring log: >> /var/log/auth.log >> 2009-10-30 19:51:24,560 - denyhosts : INFO sync_time: 3600 >> 2009-10-30 19:51:24,700 - denyhosts : INFO daemon_purge: 3600 >> 2009-10-30 19:51:24,706 - denyhosts : INFO daemon_sleep: 30 >> 2009-10-30 19:51:24,713 - denyhosts : INFO purge_sleep_ratio: 120 >> 2009-10-30 19:51:24,723 - denyhosts : INFO denyhosts synchronization >> disabled > > > > ------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference _______________________________________________ Denyhosts-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/denyhosts-user
