Menu

#43 All IPs added to hosts-root and hosts-restricted

open
nobody
None
5
2015-09-30
2009-08-06
Anonymous
No

Hi, running on Ubuntu 9.04 and the denyhosts 2.6-5 package. When I first install it, I notice that hosts, hosts-root and hosts-restricted *all* have the same IP addresses in them with 0 login attempts. In hosts-root for example for IPs I know tried to login as root, the "number of times" field is set to 0 - is this normal?
auth.log:
Aug 6 09:46:38 ianu sshd[15383]: User root from 59.103.0.133 not allowed because not listed in AllowUsers
Aug 6 09:46:38 ianu sshd[15383]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=59.103.0.133 user=root

hosts-root:
59.103.0.133:0:Thu Aug 6 14:21:23 2009

Now Denyhosts is adding the right IPs to hosts.deny, so I don't think this is causing it a problem, but it does make administering the machine harder as it is not accurately logging the information in the security log.
Denyhosts is still correctly

Discussion

  • Robert Wyatt

    Robert Wyatt - 2009-08-06

    I'm not an expert on Ubuntu, but this log indicates to me that it is your ssh daemon that is refusing to let user root log in (which is a good idea in my book since a user may change to root with su or obtain root privileges with sudo).

    (By the way, why is this on the tracker and not on the mailing list?)

     

  • Nobody/Anonymous

    Nobody/Anonymous - 2009-08-07

    Thanks, yes, I use AllowUsers to limit root login. My issue is irrespective of that though. The regexes Denyhosts uses should and do recognise root login attempts - if I look in users-invalid I see:

    root:16:Fri Aug 7 00:39:31 2009

    16 login attempts by root. But hosts-root shows 0 login attempts by every IP, valid and invalid that has hit my SSH port.

    I added this to the tracker as I thought this was the place to report bugs - is the mailing list a more visible target?

     

  • Nobody/Anonymous

    Nobody/Anonymous - 2009-10-06

    Is this the same issue as bug ID:2741691?

     

  • Daniel Sutcliffe

    Daniel Sutcliffe - 2015-09-30

    I have come across this behavior too, and responded to the note of it here http://serverfault.com/q/647153/310481

    I believe it is the AGE_RESET_* configs that are the root cause of these zero count entires.

    Adding zero count entries to these files when there has never been previous entry (and often does not need to be) makes them grow very large so could be a problem for efficiencies sake, but otherwise this issue does not seem to cause any harm.

    This SF DenyHosts project is currently unmaintained - please see followups to this bug under the GitHub denyhosts project https://github.com/denyhosts/denyhosts/issues/48

     

    Last edit: Daniel Sutcliffe 2015-10-02

Log in to post a comment.