1 |
On Tue, Jan 20, 2009 at 3:49 PM, Joshua Murphy <poisonbl@×××××.com> wrote: |
2 |
> On Tue, Jan 20, 2009 at 4:33 PM, Paul Hartman |
3 |
> <paul.hartman+gentoo@×××××.com> wrote: |
4 |
>> Hi, |
5 |
>> |
6 |
>> After setting up public key authentication i changed my sshd back to |
7 |
>> port 22 and got the expected bombardment of connection attempts. |
8 |
>> However, it doesn't seem to ever stop them. I'm using sshd with this |
9 |
>> setting: |
10 |
>> |
11 |
>> MaxAuthTries 3 |
12 |
>> |
13 |
>> in my /etc/ssh/sshd_config |
14 |
>> |
15 |
>> So, why does it allow unlimited failed login attempts? For example, as |
16 |
>> I write this I'm seeing this in my logs: |
17 |
>> |
18 |
> <snip> |
19 |
>> |
20 |
>> I'm using denyhosts but it seems that it doesn't deny anyone until an |
21 |
>> hour has passed, despite the fact I'm using the daemon which |
22 |
>> constantly monitors the log file... by which time hundreds or |
23 |
>> thousands of attempts can be made. Maybe that's a configuration issue |
24 |
>> on my denyhosts setup, but shouldn't sshd be blocking them in the |
25 |
>> first place? |
26 |
>> |
27 |
>> Thanks, |
28 |
>> Paul |
29 |
> |
30 |
> I'm pretty sure MaxAuthTries 3 does nothing more than disconnect you |
31 |
> after 3 failed connections (meaning all you have to do is reconnect to |
32 |
> keep trying)... it doesn't do any sort of 'intelligent' protection of |
33 |
> the system. DenyHosts worked great for me while I used it, but I also |
34 |
> found that a firewall rule limiting connection attempts to 3 per |
35 |
> source IP per 10 minute period put a big dent in the number of tries |
36 |
> that denyhosts ever even had to see (though they were always enough to |
37 |
> get that source blacklisted, I had things set rather restrictive). |
38 |
> Something I was pointed towards on IRC, in the event that the SSH |
39 |
> server you're running is primarily for your use or the use of |
40 |
> knowledgeable users (fellow admins)... look up Single Packet |
41 |
> Authorization (SPA). |
42 |
|
43 |
I'm using the online denyhosts synchronization database, I think that |
44 |
may negatively affect how often it blocks hosts locally, because it |
45 |
waits until it does a remote sync to scan the local file. This is my |
46 |
theory. I like the idea of sharing my blocks and taking advantage of |
47 |
the blocks of others, but if it renders the program ineffective |
48 |
against the IP /actively/ attacking my system, then it's pointless. |
49 |
|
50 |
I'm going to turn off the online sharing of denyhosts and see if it |
51 |
makes a difference. |
52 |
|
53 |
Otherwise I guess I need to set up some kind of local firewall on this |
54 |
machine to get any more fine control over the connections. |
55 |
|
56 |
Thanks |
57 |
Paul |