<div dir="ltr">Probably not since denyhosts parses logfiles from days or weeks prior when you first run it.<br><br>Steve<br><br><div class="gmail_quote">On Mon, Aug 18, 2008 at 1:54 PM, Greg Freemyer <span dir="ltr"><<a href="mailto:greg.freemyer@gmail.com">greg.freemyer@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">It added just over 1000 IPs to the hosts.deny list.<br>
<br>
Seems like a lot to me, but what do I know.<br>
<font color="#888888"><br>
Greg<br>
</font><div><div></div><div class="Wj3C7c"><br>
On Mon, Aug 18, 2008 at 1:39 PM, Greg Freemyer <<a href="mailto:greg.freemyer@gmail.com">greg.freemyer@gmail.com</a>> wrote:<br>
> I'm going the denyhosts route.<br>
><br>
> This is a CentOS server and it is in the default yum repository. (A<br>
> couple versions old (2.4), but it should be fine.)<br>
><br>
> Greg<br>
><br>
> 2008/8/18 Stephen Benjamin <<a href="mailto:skbenja@gmail.com">skbenja@gmail.com</a>>:<br>
>> Hey Greg,<br>
>><br>
>> I use DenyHosts: <a href="http://denyhosts.sourceforge.net" target="_blank">denyhosts.sourceforge.net</a><br>
>><br>
>> Configurable to add users to /etc/hosts.deny after X number of failed<br>
>> attempts. Also can autoblock faster on unknown users and attempted root<br>
>> logins.<br>
>><br>
>> It works pretty well.<br>
>><br>
>><br>
>> - Steve<br>
>><br>
>> On Mon, Aug 18, 2008 at 12:35 PM, Greg Freemyer <<a href="mailto:greg.freemyer@gmail.com">greg.freemyer@gmail.com</a>><br>
>> wrote:<br>
>>><br>
>>> All,<br>
>>><br>
>>> Is there a way to only allow one ksh attempt per IP per timeframe.<br>
>>> And after X attempts to block it for an hour or so?<br>
>>><br>
>>> ===> Details<br>
>>><br>
>>> I run our webserver on a virtual slice we rent from a hosting company.<br>
>>> Nothing very proprietary on it. In the last 60 seconds I'm getting a<br>
>>> lot of failed ksh attempts from just a couple of IPs.<br>
>>><br>
>>> Taking a look at /var/log/message I'm getting a surprising amount of<br>
>>> login attempts.:<br>
>>><br>
>>> bash-3.00# grep "check pass; user unknown" messages | head<br>
>>> Feb 2 15:13:05 norcross sshd(pam_unix)[1861]: check pass; user unknown<br>
>>> Feb 2 15:13:18 norcross sshd(pam_unix)[1867]: check pass; user unknown<br>
>>> Feb 2 15:13:21 norcross sshd(pam_unix)[1869]: check pass; user unknown<br>
>>> Feb 3 01:01:49 norcross sshd(pam_unix)[9183]: check pass; user unknown<br>
>>> Feb 3 01:01:58 norcross sshd(pam_unix)[9185]: check pass; user unknown<br>
>>> Feb 3 01:02:07 norcross sshd(pam_unix)[9187]: check pass; user unknown<br>
>>> Feb 3 01:02:18 norcross sshd(pam_unix)[9189]: check pass; user unknown<br>
>>> Feb 3 09:26:40 norcross sshd(pam_unix)[9260]: check pass; user unknown<br>
>>> Feb 3 09:26:44 norcross sshd(pam_unix)[9262]: check pass; user unknown<br>
>>> Feb 3 09:26:47 norcross sshd(pam_unix)[9264]: check pass; user unknown<br>
>>><br>
>>> So it looks like I setup this server in Feb 2008 and I likely typed in<br>
>>> the user name wrong a few times.<br>
>>><br>
>>> Lets see how often in the last 6 months:<br>
>>><br>
>>> bash-3.00# grep "check pass; user unknown" messages | wc -l<br>
>>> 363748<br>
>>><br>
>>> I must say I'm surprised to see that. I did not realize I could type<br>
>>> that fast. :-(<br>
>>><br>
>>> Is every hacker in the world trying to break in my little virtual server!!<br>
>>><br>
>>> I don't want to restrict access to private/public key authentication,<br>
>>> but other than continueing to use strong passwords, is there something<br>
>>> else I should be doing to slow down the onslaught.<br>
>>><br>
>>> Greg<br>
>>> --<br>
>>> Greg Freemyer<br>
>>> Litigation Triage Solutions Specialist<br>
>>> <a href="http://www.linkedin.com/in/gregfreemyer" target="_blank">http://www.linkedin.com/in/gregfreemyer</a><br>
>>> First 99 Days Litigation White Paper -<br>
>>> <a href="http://www.norcrossgroup.com/forms/whitepapers/99%20Days%20whitepaper.pdf" target="_blank">http://www.norcrossgroup.com/forms/whitepapers/99%20Days%20whitepaper.pdf</a><br>
>>><br>
>>> The Norcross Group<br>
>>> The Intersection of Evidence & Technology<br>
>>> <a href="http://www.norcrossgroup.com" target="_blank">http://www.norcrossgroup.com</a><br>
>>> _______________________________________________<br>
>>> Ale mailing list<br>
>>> <a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
>>> <a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
>><br>
>><br>
>> _______________________________________________<br>
>> Ale mailing list<br>
>> <a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
>> <a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
>><br>
>><br>
><br>
><br>
><br>
> --<br>
> Greg Freemyer<br>
> Litigation Triage Solutions Specialist<br>
> <a href="http://www.linkedin.com/in/gregfreemyer" target="_blank">http://www.linkedin.com/in/gregfreemyer</a><br>
> First 99 Days Litigation White Paper -<br>
> <a href="http://www.norcrossgroup.com/forms/whitepapers/99%20Days%20whitepaper.pdf" target="_blank">http://www.norcrossgroup.com/forms/whitepapers/99%20Days%20whitepaper.pdf</a><br>
><br>
> The Norcross Group<br>
> The Intersection of Evidence & Technology<br>
> <a href="http://www.norcrossgroup.com" target="_blank">http://www.norcrossgroup.com</a><br>
><br>
<br>
<br>
<br>
</div></div>--<br>
<div><div></div><div class="Wj3C7c">Greg Freemyer<br>
Litigation Triage Solutions Specialist<br>
<a href="http://www.linkedin.com/in/gregfreemyer" target="_blank">http://www.linkedin.com/in/gregfreemyer</a><br>
First 99 Days Litigation White Paper -<br>
<a href="http://www.norcrossgroup.com/forms/whitepapers/99%20Days%20whitepaper.pdf" target="_blank">http://www.norcrossgroup.com/forms/whitepapers/99%20Days%20whitepaper.pdf</a><br>
<br>
The Norcross Group<br>
The Intersection of Evidence & Technology<br>
<a href="http://www.norcrossgroup.com" target="_blank">http://www.norcrossgroup.com</a><br>
_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
</div></div></blockquote></div><br><br clear="all"><br>
</div>