Re: [Denyhosts-user] newbie confused, cluster sub-nodes getting denied - why?

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

First thing you should do Dave is to run DH in --debug mode:

    /etc/init.d/denyhosts restart --debug

then:

    tail -f /var/log/denyhosts

Observe the output of when people attempt to login via ssh.  That should 
offer clues to what DH is (or isn't) doing.

Also, at the bottom of the DH homepage there is a section: "Need Help?" 
which details the info I would need in order to troubleshoot the regex'es.

Regards,

Phil

On Thu, 17 Jan 2008, David Burns wrote:

> I suspect that my log is in an unusual format. What sort of steps
> should I take to troubleshoot? Is there a doc somewhere I've
> overlooked that explains what denyhosts looks for in the logs, and
> what it ignores, and how to make it more verbose, etc.? Symptom seems
> to be that it eventually denies everyone. I've white-listed our local
> machines, but whenever someone tries to ssh in from outside our local
> net there is trouble.
> Thanks,
> Dave
>
> On Jan 9, 2008 12:57 PM, Phil Schwartz
> <phi...@us...> wrote:
>>
>> Check the files in your DH WORK_DIR (grep them) for one of the subnodes.
>> The number after the : indicates the number of hack attempts DH detected.
>> If this number seems incorrect, check your SECURE_LOG for that IP address
>> to determine if they were legit or not.  If DH incorrectly identified them
>> as attacks then your SECURE_LOG is likely in an unusual format.
>>
>> You may also want to stop DH, remove the IP address(es) from the WORK_DIR
>> files, and the IP's to WORK_DIR/allowed-hosts and restart DH.
>>
>> Regards,
>>
>> Phil
>>
>>
>> On Wed, 9 Jan 2008, David Burns wrote:
>>
>>> I have a cluster master node running denyhosts (Thanks!), but I am
>>> confused because some of the subnodes get denied. I've put them into
>>> /etc/hosts.allow, so they don't actually lose access, but I do still
>>> get reports about them. Is there some documentation somewhere that
>>> would explain what to look for to find out what these nodes are doing
>>> that sets off denyhosts? I am pretty sure that there are no hackers
>>> with access to the subnodes trying to hack the master node - they're
>>> wired such that the only way to get to the nodes is through the
>>> master!
>>> Thanks in advance,
>>> Dave
>>>
>>> -------------------------------------------------------------------------
>>> Check out the new SourceForge.net Marketplace.
>>> It's the best place to buy or sell services for
>>> just about anything Open Source.
>>> http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
>>> _______________________________________________
>>> Denyhosts-user mailing list
>>> Den...@li...
>>> https://lists.sourceforge.net/lists/listinfo/denyhosts-user
>>>
>>
>> --
>> Regards,
>>
>> Phil Schwartz
>> - http://www.phil-schwartz.com
>>
>> Open Source Projects:
>> - DenyHosts: http://www.denyhosts.net
>> - Kodos: http://kodos.sourceforge.net
>> - ReleaseForge: http://releaseforge.sourceforge.net
>> - Scratchy: http://scratchy.sourceforge.net
>> - FAQtor: http://faqtor.sourceforge.net
>>
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2008.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> _______________________________________________
> Denyhosts-user mailing list
> Den...@li...
> https://lists.sourceforge.net/lists/listinfo/denyhosts-user
>

-- 
Regards,

Phil Schwartz
- http://www.phil-schwartz.com

Open Source Projects:
- DenyHosts: http://www.denyhosts.net
- Kodos: http://kodos.sourceforge.net
- ReleaseForge: http://releaseforge.sourceforge.net
- Scratchy: http://scratchy.sourceforge.net
- FAQtor: http://faqtor.sourceforge.net