denyhosts is always denying
John Taylor
I've just setup a new server with Debian 5.0.3, and installed denyhosts
to help protect ssh.
However, while it is blocking some IP addresses, there are still a lot of
attempts that it is letting through.
e.g. from logwatch report:
Nov 16 12:24:17 sshd: Failed password for root from 58.218.250.111
port 50963 ssh2: 1 Time(s)
Nov 16 12:24:21 sshd: Failed password for root from 58.218.250.111
port 51283 ssh2: 1 Time(s)
Nov 16 12:24:26 sshd: Failed password for root from 58.218.250.111
port 51597 ssh2: 1 Time(s)
Nov 16 12:24:30 sshd: Failed password for root from 58.218.250.111
port 51885 ssh2: 1 Time(s)
Nov 16 12:24:36 sshd: Failed password for root from 58.218.250.111
port 52166 ssh2: 1 Time(s)
Nov 16 12:24:41 sshd: Failed password for root from 58.218.250.111
port 52464 ssh2: 1 Time(s)
Nov 16 12:24:46 sshd: Failed password for root from 58.218.250.111
port 52772 ssh2: 1 Time(s)
Nov 16 12:24:51 sshd: Failed password for root from 58.218.250.111
port 53034 ssh2: 1 Time(s)
Nov 16 12:24:56 sshd: Failed password for root from 58.218.250.111
port 53335 ssh2: 1 Time(s)
Nov 16 12:25:00 sshd: Failed password for root from 58.218.250.111
port 53665 ssh2: 1 Time(s)
Nov 16 12:25:05 sshd: Failed password for root from 58.218.250.111
port 53982 ssh2: 1 Time(s)
Nov 16 12:25:11 sshd: Failed password for root from 58.218.250.111
port 54333 ssh2: 1 Time(s)
Nov 16 12:25:16 sshd: Failed password for root from 58.218.250.111
port 54765 ssh2: 1 Time(s)
Nov 16 12:25:22 sshd: Failed password for root from 58.218.250.111
port 55143 ssh2: 1 Time(s)
AND
Failed logins from:
58.218.250.111: 14 times
root/password: 14 times
I have root set to deny after 1 failed attempt, and the others at 5
attempts:
#######################################################################
#
# DENY_THRESHOLD_VALID: block each host after the number of failed
# login attempts has exceeded this value. This value applies to valid
# user login attempts (eg. user accounts that exist in /etc/passwd) except
# for the "root" user
#
DENY_THRESHOLD_VALID = 5
#
#######################################################################
#######################################################################
#
# DENY_THRESHOLD_ROOT: block each host after the number of failed
# login attempts has exceeded this value. This value applies to
# "root" user login attempts only.
#
DENY_THRESHOLD_ROOT = 1
#
#######################################################################
#######################################################################
#
# DENY_THRESHOLD_RESTRICTED: block each host after the number of failed
# login attempts has exceeded this value. This value applies to
# usernames that appear in the WORK_DIR/restricted-usernames file only.
#
DENY_THRESHOLD_RESTRICTED = 1
#
#######################################################################
What am I doing wrong ?
Thanks
JohnT
John Taylor
Fixed subject line !
Moe Trin
<hdtnt3$8p7$1...@news.eternal-september.org>, John Taylor wrote:
>However, while it is blocking some IP addresses, there are still a lot of
>attempts that it is letting through.
> Failed logins from:
> 58.218.250.111: 14 times
> root/password: 14 times
>
>I have root set to deny after 1 failed attempt, and the others at 5
>attempts:
Look at that log again, specifically at the source port number. There
were 14 attempts, but from 14 different source port numbers. I'm not
sure that's the cause, as I don't need/use this Self-Denial-Of-Service
tool (and don't read Python that well, but it is just Python scripts).
Are you a world traveler, and need to permit access to your ssh server
from all 2.95 billion IPv4 addresses in use in the world? My firewall
limits access to the server port to 1530 addresses - two /24 and a /22,
because I can't see any reason to allow connections from you or anyone
else that I haven't approved in advance, and I really don't expect
authorized users to be connecting from Kazakhstan, Kenya, Kiribati,
Korea, or Kuwait or a lot of other places either. Lest someone from
those countries object, I also don't allow access from nearly all ISPs
in North America. Not expected == not allowed. While that doesn't
eliminate all spurious login attempts, it sure reduces the number.
By the way, did you set the 'PURGE_DENY' value, or are you banning
addresses permanently - one at a time makes a beautiful hosts.deny
file size and ought to slow things down nicely.
Old guy
John Taylor
> On Tue, 17 Nov 2009, in the Usenet newsgroup comp.os.linux.setup, in
> article <hdtnt3$8p7$1...@news.eternal-september.org>, John Taylor wrote:
>
>>However, while it is blocking some IP addresses, there are still a lot
>>of attempts that it is letting through.
>
>> Failed logins from:
>> 58.218.250.111: 14 times
>> root/password: 14 times
>>
>>I have root set to deny after 1 failed attempt, and the others at 5
>>attempts:
>
> Look at that log again, specifically at the source port number. There
> were 14 attempts, but from 14 different source port numbers. I'm not
> sure that's the cause,
Yes, I noticed that - but I would expect the source address to change
each time - I don't think that should affect it.
> as I don't need/use this Self-Denial-Of-Service
> tool (and don't read Python that well, but it is just Python scripts).
> Are you a world traveler, and need to permit access to your ssh server
> from all 2.95 billion IPv4 addresses in use in the world? My firewall
> limits access to the server port to 1530 addresses - two /24 and a /22,
> because I can't see any reason to allow connections from you or anyone
> else that I haven't approved in advance, and I really don't expect
> authorized users to be connecting from Kazakhstan, Kenya, Kiribati,
> Korea, or Kuwait or a lot of other places either. Lest someone from
> those countries object, I also don't allow access from nearly all ISPs
> in North America. Not expected == not allowed. While that doesn't
> eliminate all spurious login attempts, it sure reduces the number.
A large number of people will be accessing the server through various
ISP's and may well be in other countries, so limiting IP address range is
not appropriate.
>
> By the way, did you set the 'PURGE_DENY' value, or are you banning
> addresses permanently - one at a time makes a beautiful hosts.deny file
> size and ought to slow things down nicely.
Ah !
I didn't think of that - Maybe I should set PURGE_DENY.
Thanks
JohnT
Moe Trin
>Moe Trin wrote:
>> Look at that log again, specifically at the source port number.
>> There were 14 attempts, but from 14 different source port numbers.
>> I'm not sure that's the cause,
>Yes, I noticed that - but I would expect the source address to change
>each time - I don't think that should affect it.
"source address" changing each time would defeat virtually all log
reader tools like Denyhosts, as they're looking for repeats from the
same address. Blocking an address after a single bad login is just
another self-DOS technique.
>A large number of people will be accessing the server through various
>ISP's and may well be in other countries, so limiting IP address
>range is not appropriate.
Your setup, not mine - but I'd still look closely at that aspect.
>> By the way, did you set the 'PURGE_DENY' value, or are you banning
>> addresses permanently - one at a time makes a beautiful hosts.deny
>> file size and ought to slow things down nicely.
>Ah !
>I didn't think of that - Maybe I should set PURGE_DENY.
Most of this activity is from 'bots and scripts, and they loose
interest in a system after a few minutes of no response. Setting the
blocking period to something like ten minutes is usually enough to
deter an individual address (but not a bot-net which a log reader
can't handle anyway), and also limits the self-denial-of-service time
when someone is spoofing the address of a system critical to your
normal operations. Some time ago, we had some idiot attempting to DOS
some systems in our DMZ by spoofing attacks using our published DNS
IPs as the source - not realizing that the DMZ servers use different
DNS servers and that our systems don't use a tool like Denyhosts. Two
extra rules on the perimeter firewall fixed that nuisance.
Old guy
John Taylor
> Doh!
> Fixed subject line !
>
> On Tue, 17 Nov 2009 08:46:27 +0000, John Taylor wrote:
>
>> Hi,
>>
>> I've just setup a new server with Debian 5.0.3, and installed denyhosts
>> to help protect ssh.
>>
>> However, while it is blocking some IP addresses, there are still a lot
>> of attempts that it is letting through. e.g. from logwatch report:
>>
>> Nov 16 12:24:17 sshd: Failed password for root from 58.218.250.111
>> port 50963 ssh2: 1 Time(s)
>> [repeated Lots of times]
...
For anyone who experiences similar issues:
I've finally tracked this down !
It wasn't denying AT ALL
I finally spotted that I had ALL:ALL in hosts.allow !
So everyone was being allowed regardless of hosts.deny.
Is this the Debian default ? - not what I would have expected !
I now have a nice clean logwatch with only a few attempts from each ip :-)
Regards
JohnT
Moe Trin
<hedkdp$fg2$1...@news.eternal-september.org>, John Taylor wrote:
>I've finally tracked this down !
>It wasn't denying AT ALL
>I finally spotted that I had ALL:ALL in hosts.allow !
Whoops!!! That's certainly not going to help ;-)
>So everyone was being allowed regardless of hosts.deny.
>Is this the Debian default ? - not what I would have expected !
I don't think I've ever seen that, so I'd have to say it's not the
default. The only "ALL:" line I expect to see there is for the
loopback addresses.
>I now have a nice clean logwatch with only a few attempts from each
>ip :-)
Keep an eye on the size of /etc/hosts.deny to make sure it isn't
growing out of control. If it does, you can be wasting more CPU
cycles checking libwrap for each and every connection than you
would letting the script kiddiez connect and continue to guess
wrong. That's the 'PURGE_DENY' value.
Old guy