[SOLVED] Denyhosts 'bug'/curiosity

Support for security such as Firewalls and securing linux
Post Reply
lightman47
Posts: 1225
Joined: 2014/05/21 20:16:00
Location: Central New York, USA

[SOLVED] Denyhosts 'bug'/curiosity

Post by lightman47 » 2014/05/22 11:30:24

CentOS 6.5 with denyhosts (from repo) running - I thought all was working well until I perused /var/log/secure the other day and found the same I.P. banged away at my root password about 8 times before getting locked out. I have root set to ONE bad attempt. Unique to me about these attempts was that this bogus 'user' was changing high-numbered ports, for instance 58724, for each attempt. I did some googling/research and can't find anything about this.

Is it this port rotation that enables 'him' to get around Denyhosts? Is there a fix?

{Also asked on FedoraForum with no results - have machines with Fedora as well and just found this forum yesterday}

Thanks.
Last edited by lightman47 on 2014/05/24 22:08:15, edited 2 times in total.
Remember - importing/building packages will likely "byte you in the butt" come update time, long after you'd forgotten you did that! Use repos whenever possible.

lightman47
Posts: 1225
Joined: 2014/05/21 20:16:00
Location: Central New York, USA

Re: Denyhosts 'bug'/curiosity

Post by lightman47 » 2014/05/23 11:02:44

Resolved (sort of) - further thought about how denyhosts works by periodically polling the log leads me to believe that an attacker can get in as many attempts as possible between polls. Essentially, it's the count increments from the poll results that lock him out - not the actual attacks themselves.
Remember - importing/building packages will likely "byte you in the butt" come update time, long after you'd forgotten you did that! Use repos whenever possible.

unspawn
Posts: 172
Joined: 2006/12/11 12:28:52

Re: Denyhosts 'bug'/curiosity

Post by unspawn » 2014/05/24 10:52:43

Please be aware OpenSSH seems intent on removing tcp_wrappers support, as does Fedora. Maybe that could be your cue to investigate alternatives like fail2ban.

Post Reply

Return to “CentOS 6 - Security Support”