[PLUG] denyhosts not blocking some ssh attempts

Galen Seitz galens at seitzassoc.com
Mon Jan 12 23:04:30 UTC 2009


Alan Olsen wrote:
> Does Denyhosts look for connects or actual login attempts.  Looks like those
> are connects without login attempts.  Part of a port scan?
> 

Apparently it only looks for actual login attempts.  I looked back in 
the log file and there never was a login attempt.  This single entry 
appeared this morning:

Jan 12 10:48:21 zinc sshd[2609]: Did not receive identification string 
from 208.110.91.226


Later, around 1:30PM, I started getting a continuous stream of 
disconnect messages:

Jan 12 13:31:36 zinc sshd[4814]: Received disconnect from 
208.110.91.226: 11: Bye Bye
Jan 12 13:31:40 zinc sshd[4818]: Received disconnect from 
208.110.91.226: 11: Bye Bye
Jan 12 13:31:41 zinc sshd[4822]: Received disconnect from 
208.110.91.226: 11: Bye Bye
Jan 12 13:31:42 zinc sshd[4826]: Received disconnect from 
208.110.91.226: 11: Bye Bye
...


Now that I have manually added this address to hosts.deny, I'm still 
getting attempts every 6 seconds:

Jan 12 14:55:06 zinc sshd[11816]: refused connect from 208.110.91.226 
(208.110.91.226)
Jan 12 14:55:13 zinc sshd[11819]: refused connect from 208.110.91.226 
(208.110.91.226)
Jan 12 14:55:19 zinc sshd[11824]: refused connect from 208.110.91.226 
(208.110.91.226)
Jan 12 14:55:27 zinc sshd[11827]: refused connect from 208.110.91.226 
(208.110.91.226)


... Great!  As I was typing this, the offending host moved on from my 
office machine to my home machine.  However in this case there were 
login attempts and denyhosts quickly added the ip to hosts.deny.  It's 
still making attempts despite having the connection refused.  Sigh.

-- 
Galen Seitz
galens at seitzassoc.com



More information about the PLUG mailing list