Hello, I've installed denyhosts on centos 5.3 trying to block automated attacks on ssh. It appears to be working in that entries are being added to /etc/hosts.deny yet the daily emails sent from denyhosts show only one ip being added perday when the total is many more than that. My config is below, i've gone over it and am not seeing what i missed. Suggestions welcome. I was also wondering if denyhosts can block other types of robot attacks such as smtp or port 80? Thanks. Dave. SECURE_LOG = /var/log/secure HOSTS_DENY = /etc/hosts.deny PURGE_DENY = 1w BLOCK_SERVICE = sshd DENY_THRESHOLD_INVALID = 2 DENY_THRESHOLD_VALID = 10 DENY_THRESHOLD_ROOT = 1 DENY_THRESHOLD_RESTRICTED = 1 WORK_DIR = /var/lib/denyhosts SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES HOSTNAME_LOOKUP=NO LOCK_FILE = /var/lock/subsys/denyhosts ADMIN_EMAIL = user at example.com SMTP_HOST = localhost SMTP_PORT = 25 SMTP_FROM = DenyHosts <nobody at example.com> SMTP_SUBJECT = DenyHosts Report from $[HOSTNAME] AGE_RESET_VALID=5d AGE_RESET_ROOT=25d AGE_RESET_RESTRICTED=25d AGE_RESET_INVALID=10d DAEMON_LOG = /var/log/denyhosts DAEMON_SLEEP = 30s DAEMON_PURGE SYNC_SERVER = http://xmlrpc.denyhosts.net:9911 SYNC_INTERVAL = 1h SYNC_UPLOAD = yes SYNC_DOWNLOAD = yes SYNC_DOWNLOAD_THRESHOLD = 3 SYNC_DOWNLOAD_RESILIENCY = 2h
Dave wrote:> Hello, > I've installed denyhosts on centos 5.3 trying to block automated > attacks on ssh. It appears to be working in that entries are being added to > /etc/hosts.deny yet the daily emails sent from denyhosts show only one ip > being added perday when the total is many more than that. My config is > below, i've gone over it and am not seeing what i missed. Suggestions > welcome. > I was also wondering if denyhosts can block other types of robot > attacks such as smtp or port 80?It can deny access to any service that uses hosts.deny if you change it to ALL instead of sshd. It is configured to watch /var/log/secure, so if smtpd logs login failures there, then it can be used to add to the deny list. Apache does not use hosts.allow or hosts.deny by default. Some googling suggested this might be done with xinetd but I haven't tried it.> BLOCK_SERVICE = sshd > SYNC_SERVER = http://xmlrpc.denyhosts.net:9911 > SYNC_INTERVAL = 1h > SYNC_UPLOAD = yes > SYNC_DOWNLOAD = yesI believe the IP entries being added are because you using the sync feature. The email only notifies new entries added due to active attempts against your server, not those added by the sync, IIRC. Rick