| 1 |
On Tue, Jan 20, 2009 at 3:49 PM, Joshua Murphy <poisonbl@×××××.com> wrote: |
| 2 |
> On Tue, Jan 20, 2009 at 4:33 PM, Paul Hartman |
| 3 |
> <paul.hartman+gentoo@×××××.com> wrote: |
| 4 |
>> Hi, |
| 5 |
>> |
| 6 |
>> After setting up public key authentication i changed my sshd back to |
| 7 |
>> port 22 and got the expected bombardment of connection attempts. |
| 8 |
>> However, it doesn't seem to ever stop them. I'm using sshd with this |
| 9 |
>> setting: |
| 10 |
>> |
| 11 |
>> MaxAuthTries 3 |
| 12 |
>> |
| 13 |
>> in my /etc/ssh/sshd_config |
| 14 |
>> |
| 15 |
>> So, why does it allow unlimited failed login attempts? For example, as |
| 16 |
>> I write this I'm seeing this in my logs: |
| 17 |
>> |
| 18 |
> <snip> |
| 19 |
>> |
| 20 |
>> I'm using denyhosts but it seems that it doesn't deny anyone until an |
| 21 |
>> hour has passed, despite the fact I'm using the daemon which |
| 22 |
>> constantly monitors the log file... by which time hundreds or |
| 23 |
>> thousands of attempts can be made. Maybe that's a configuration issue |
| 24 |
>> on my denyhosts setup, but shouldn't sshd be blocking them in the |
| 25 |
>> first place? |
| 26 |
>> |
| 27 |
>> Thanks, |
| 28 |
>> Paul |
| 29 |
> |
| 30 |
> I'm pretty sure MaxAuthTries 3 does nothing more than disconnect you |
| 31 |
> after 3 failed connections (meaning all you have to do is reconnect to |
| 32 |
> keep trying)... it doesn't do any sort of 'intelligent' protection of |
| 33 |
> the system. DenyHosts worked great for me while I used it, but I also |
| 34 |
> found that a firewall rule limiting connection attempts to 3 per |
| 35 |
> source IP per 10 minute period put a big dent in the number of tries |
| 36 |
> that denyhosts ever even had to see (though they were always enough to |
| 37 |
> get that source blacklisted, I had things set rather restrictive). |
| 38 |
> Something I was pointed towards on IRC, in the event that the SSH |
| 39 |
> server you're running is primarily for your use or the use of |
| 40 |
> knowledgeable users (fellow admins)... look up Single Packet |
| 41 |
> Authorization (SPA). |
| 42 |
|
| 43 |
I'm using the online denyhosts synchronization database, I think that |
| 44 |
may negatively affect how often it blocks hosts locally, because it |
| 45 |
waits until it does a remote sync to scan the local file. This is my |
| 46 |
theory. I like the idea of sharing my blocks and taking advantage of |
| 47 |
the blocks of others, but if it renders the program ineffective |
| 48 |
against the IP /actively/ attacking my system, then it's pointless. |
| 49 |
|
| 50 |
I'm going to turn off the online sharing of denyhosts and see if it |
| 51 |
makes a difference. |
| 52 |
|
| 53 |
Otherwise I guess I need to set up some kind of local firewall on this |
| 54 |
machine to get any more fine control over the connections. |
| 55 |
|
| 56 |
Thanks |
| 57 |
Paul |
Archives