On Thu, Jan 22, 2009 at 10:37 AM, James Homuth <ja...@the-jdh.com> wrote: > > > -----Original Message----- > From: news [mailto:n...@ger.gmane.org] On Behalf Of Nikos Chantziaras > Sent: January 22, 2009 11:07 AM > To: gentoo-user@lists.gentoo.org > Subject: [gentoo-user] Re: Why isn't sshd blocking repeated failed login > attempts? > > Paul Hartman wrote: >> On Wed, Jan 21, 2009 at 11:53 AM, Nikos Chantziaras <rea...@arcor.de> > wrote: >>> Can you check the logs to see the timespan in which those hundreds of >>> attempts took place? Also, what's the time interval Denyhosts checks >>> for login attempts? >> >> The most recently denied host from this afternoon made over 200 login >> attempts in a span of 17 minutes before denyhosts caught it. In my >> denyhosts.conf I have these: >> >> DENY_THRESHOLD_INVALID = 3 >> DENY_THRESHOLD_VALID = 3 >> DENY_THRESHOLD_ROOT = 1 >> DENY_THRESHOLD_RESTRICTED = 1 > > What is the value of DAEMON_SLEEP? > > > Denyhosts doesn't pick up on certain types of PAM auth regular expressions. > If any of those appear in your logs during those 200+ attempts, Denyhosts is > probably not reading them. I've already reported it > (http://bugs.gentoo.org/show_bug.cgi?id=248047) if you want to add anything > to it.
I don't use PAM in sshd so I don't think that's my problem, but the whole regexp thing is a possiblity in general as someone else suggested. I will check into it tonight after work. Thanks, Paul