From: <rb...@ca...> - 2006-09-22 02:09:39
|
Kyle Claisse wrote: > I have been running DenyHosts for about few weeks now and it has more o= r > less done it's job. But just recently I noticed on my daily logwatches > that a few ip's were not being denied. I set the maximum number of trie= s > for any user name to be 3. But my logs clearly show more tries coming f= rom > ip's. [snip] > sshd: > Authentication Failures: > unknown (137.82.206.83): 13 Time(s) > root (64.34.105.116): 7 Time(s) > unknown (222.91.92.185): 3 Time(s) > unknown (host188-178-static.189-82-b.business.telecomitalia.it):= 3 > Time(s) > root (211.98.88.125): 1 Time(s) > Invalid Users: > Unknown Account: 19 Time(s) >=20 >=20 > Notice that one of the ip's (137.82.206.83) has 13 logins failures. Wha= ts > up with that? It depends on the scan time, if you scan say every 15 seconds and the att= acker is going at 1 per second, then the mean case will try about 8 times= , the worst case will try 15 or probably 16 because of the time it takes = DenyHosts to add the entry and sshd to pick it up. It will rarely ever be stopped at 3, which is the best case and only will= happen if the attacker is going real slow. > OK Now just in case I would like to not that this is my first post in a= > sourceforge mailing list or any mailing list for that matter. I hope it= > went right. Looks fine ;-) --=20 Ren=E9 Berber |