On Sun, Aug 24, 2008 at 01:30:02PM -0700, Andrew Lentvorski wrote:
I'm not a big fan of DenyHosts because I'm not sure the whole idea was thought out that well. It works okay under small load (at which point I probably don't need it), but I wonder how it would fare under real attack.
As far as I know, everything it has ever blocked has been a "real" attack. I'm not sure why else random machines would try logging in as dozens of users on my machine. What kind of attack do you think it is trying to prevent. The attack it is designed to block is a very real worm. Machines like 'mail.harvestmeat.com' have been running this worm for almost 3 years now. It's not a denial of service attack, or an attempt to break the machine. It is looking for machines it can load its own code on, mostly to start trying to attack other machines, but probably to ultimately run some kind of payload, probably to send spam.
If someone is really trying to break my machine, logging the attempts to a file basically lets them denial-of-service me. Furthermore, you can elude DenyHosts by making a burst of attempts before DenyHosts makes it's periodic run. Or, if DenyHosts runs on every attempt, then it's an even bigger DoS generator.
Assuming none of my accounts actually have the weak passwords that they are attempting, denyhosts's only real purpose is to _prevent_ a denial-of-service attack. Every ssh setup I've ever seen already logs all attempts to a log file. This has nothing to do with denyhosts. Denyhosts just reads this file periodically, and looks for patterns. The hosts that trigger the thresholds are blocked. Provided there are no weak passwords, the only advantage I get to this is that sshd spends less CPU time computing exponents for fresh connections. If you're set to not allow password logins, sshd should reject the connection before negotiating a key, so there probably isn't much benefit to running it. Another benefit to deny hosts is that it is capable of sharing the hosts lists with others. David -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
