Re: [Denyhosts-user] Respond to particular attack pattern

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

You can set your denyhosts configuration to disallow all sshd logins to 
the root account with a short daemon sleep period. I do this and it 
works just fine. (I can do this because I have absolutely no reason to 
login in remotely with the root account, you might not be so fortunate.) 
  --Robert

Olaf Klinke wrote:
> Hi all,
> Being very satisfied with my freshly installed denyhosts, I am
> already becoming greedy. As Lars Behrens pointed out to this list
> in 2008, a typical attack looks like this:
> 
> Aug 29 18:42:14 kuratowski sshd[36849]: Did not receive identification  
> string from 219.140.165.74
> Aug 29 18:47:00 kuratowski sshd[36856]: User root from 219.140.165.74  
> not allowed because not listed in AllowUsers
> 
> After this the usual attack goes on using a dictionary of user names
> until the denyhosts daemon wakes up and puts an end to this.
> Note the 5 minute gap between the first connect which I read as a
> verification of an actual sshd listening on port 22, and the attack
> itself.
> 
> Therfore my guess is that denyhosts should be easily capable to
> respond to such an attack early even with a quite liberal
> DAEMON_SLEEP value. Any ideas? Shouldn't the DH daemon when waking
> up during an attack notice the fist connect and include it in the
> DENY_THRESHOLD_* count?
> 
> Am I right that the first and second connect above are handled
> differently by DH because the first one does not yield a user name?
> 
> Thanks,
> Olf