Based on responses I received here and in an OpenSSH forum it seems
for security reasons the sshd was modified to always pass all login
attempts to the underlying auth mechanism first, regardless of
sshd_config settings and only after that override the results if sshd
settings (PermitRootLogin, DenyUser) apply. So the only way to block
these lockouts is with firewalling (tcp_wrappers, ipfilter, etc).
_Mike
On Wed, 26 Jan 2005 20:40:29 -0500, Mike Broderick
<mikebroderick_at_gmail.com> wrote:
> I have a couple Tru64 boxes (4.0f and 5.1b) both using C2 security
> that get occasional root login attacks via SSH. These attacks (3000
> hits on root last time) cause the root account to get locked. I tried
> disabling root logins from SSH with "PerminRootLogins no" (in
> sshd_config) but I still see failed attempts logged in the auth db
> (u_numunsuclog for root user increments). I then tried adding
> "DenyUsers root" too which seems to work on the 4.0f system but not on
> 5.1b. I do get an "invalid user" error in the auth.log in both but on
> 5.1b u_numunsuclog still increments.
>
> The Tru64 delivered ssh is not beig used, but rather a version of
> OpenSSH manually downloaded/built. (4.0f has OpenSSH 3.1p1 and 5.1b
> has 3.7.1p2) The 5.1b system was just upgraded from 5.1a to 5.1b.
>
>
> _Mike
>
Received on Wed Feb 09 2005 - 16:22:26 NZDT