From: Robert W. <chu...@gm...> - 2009-08-30 15:04:28
|
You can set your denyhosts configuration to disallow all sshd logins to the root account with a short daemon sleep period. I do this and it works just fine. (I can do this because I have absolutely no reason to login in remotely with the root account, you might not be so fortunate.) --Robert Olaf Klinke wrote: > Hi all, > Being very satisfied with my freshly installed denyhosts, I am > already becoming greedy. As Lars Behrens pointed out to this list > in 2008, a typical attack looks like this: > > Aug 29 18:42:14 kuratowski sshd[36849]: Did not receive identification > string from 219.140.165.74 > Aug 29 18:47:00 kuratowski sshd[36856]: User root from 219.140.165.74 > not allowed because not listed in AllowUsers > > After this the usual attack goes on using a dictionary of user names > until the denyhosts daemon wakes up and puts an end to this. > Note the 5 minute gap between the first connect which I read as a > verification of an actual sshd listening on port 22, and the attack > itself. > > Therfore my guess is that denyhosts should be easily capable to > respond to such an attack early even with a quite liberal > DAEMON_SLEEP value. Any ideas? Shouldn't the DH daemon when waking > up during an attack notice the fist connect and include it in the > DENY_THRESHOLD_* count? > > Am I right that the first and second connect above are handled > differently by DH because the first one does not yield a user name? > > Thanks, > Olf |