Hi, running on Ubuntu 9.04 and the denyhosts 2.6-5 package. When I first install it, I notice that hosts, hosts-root and hosts-restricted *all* have the same IP addresses in them with 0 login attempts. In hosts-root for example for IPs I know tried to login as root, the "number of times" field is set to 0 - is this normal?
auth.log:
Aug 6 09:46:38 ianu sshd[15383]: User root from 59.103.0.133 not allowed because not listed in AllowUsers
Aug 6 09:46:38 ianu sshd[15383]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=59.103.0.133 user=root
hosts-root:
59.103.0.133:0:Thu Aug 6 14:21:23 2009
Now Denyhosts is adding the right IPs to hosts.deny, so I don't think this is causing it a problem, but it does make administering the machine harder as it is not accurately logging the information in the security log.
Denyhosts is still correctly
I'm not an expert on Ubuntu, but this log indicates to me that it is your ssh daemon that is refusing to let user root log in (which is a good idea in my book since a user may change to root with su or obtain root privileges with sudo).
(By the way, why is this on the tracker and not on the mailing list?)
Thanks, yes, I use AllowUsers to limit root login. My issue is irrespective of that though. The regexes Denyhosts uses should and do recognise root login attempts - if I look in users-invalid I see:
root:16:Fri Aug 7 00:39:31 2009
16 login attempts by root. But hosts-root shows 0 login attempts by every IP, valid and invalid that has hit my SSH port.
I added this to the tracker as I thought this was the place to report bugs - is the mailing list a more visible target?
Is this the same issue as bug ID:2741691?
I have come across this behavior too, and responded to the note of it here http://serverfault.com/q/647153/310481
I believe it is the
AGE_RESET_*
configs that are the root cause of these zero count entires.Adding zero count entries to these files when there has never been previous entry (and often does not need to be) makes them grow very large so could be a problem for efficiencies sake, but otherwise this issue does not seem to cause any harm.
This SF DenyHosts project is currently unmaintained - please see followups to this bug under the GitHub denyhosts project https://github.com/denyhosts/denyhosts/issues/48
Last edit: Daniel Sutcliffe 2015-10-02