[PLUG] denyhosts not blocking some ssh attempts

Heath Morrison heath at doublemarked.com
Mon Jan 12 23:17:04 UTC 2009 

Check out the website running at http://208.110.91.226/ . It's an odd
thing with some sort of hash that's generated with each request. After
you check that out, query google for "Home page wsi01" and you'll find
a couple dozen identical web servers on the same class C, all with
meaningless domain names.

Fishy enough for me :)

-Heath


On Mon, Jan 12, 2009 at 3:04 PM, Galen Seitz <galens at seitzassoc.com> wrote:
> Alan Olsen wrote:
>> Does Denyhosts look for connects or actual login attempts.  Looks like those
>> are connects without login attempts.  Part of a port scan?
>>
>
> Apparently it only looks for actual login attempts.  I looked back in
> the log file and there never was a login attempt.  This single entry
> appeared this morning:
>
> Jan 12 10:48:21 zinc sshd[2609]: Did not receive identification string
> from 208.110.91.226
>
>
> Later, around 1:30PM, I started getting a continuous stream of
> disconnect messages:
>
> Jan 12 13:31:36 zinc sshd[4814]: Received disconnect from
> 208.110.91.226: 11: Bye Bye
> Jan 12 13:31:40 zinc sshd[4818]: Received disconnect from
> 208.110.91.226: 11: Bye Bye
> Jan 12 13:31:41 zinc sshd[4822]: Received disconnect from
> 208.110.91.226: 11: Bye Bye
> Jan 12 13:31:42 zinc sshd[4826]: Received disconnect from
> 208.110.91.226: 11: Bye Bye
> ...
>
>
> Now that I have manually added this address to hosts.deny, I'm still
> getting attempts every 6 seconds:
>
> Jan 12 14:55:06 zinc sshd[11816]: refused connect from 208.110.91.226
> (208.110.91.226)
> Jan 12 14:55:13 zinc sshd[11819]: refused connect from 208.110.91.226
> (208.110.91.226)
> Jan 12 14:55:19 zinc sshd[11824]: refused connect from 208.110.91.226
> (208.110.91.226)
> Jan 12 14:55:27 zinc sshd[11827]: refused connect from 208.110.91.226
> (208.110.91.226)
>
>
> ... Great!  As I was typing this, the offending host moved on from my
> office machine to my home machine.  However in this case there were
> login attempts and denyhosts quickly added the ip to hosts.deny.  It's
> still making attempts despite having the connection refused.  Sigh.
>
> --
> Galen Seitz
> galens at seitzassoc.com
> _______________________________________________
> PLUG mailing list
> PLUG at lists.pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug
>

More information about the PLUG mailing list