Monday, October 15, 2007

DenyHosts: Watches your SSH log for you

While I knew that brute-force attacks on SSH servers are very common, I had not taken the time to look at the connection attempt logs on my home servers until recently (to do that, by the way, on Ubuntu, try sudo tail -n 100 /var/log/auth.log). I was seeing attempts every few seconds for some periods, mostly on non-standard ports!

So far as I knew, no one had gotten through, but why risk the worry. Instead I installed DenyHosts. DenyHosts is a Python script that watches your auth.log, and adds IPs that repeatedly try and fail to connect to the /etc/hosts.deny list, effectively denying then future access.

It is rather easy to install. There is a package in the repos, but I was unable to get this to work on my servers for some reason (it is still in testing). I instead followed this handy tutorial. It worked flawlessly, with one exception. I had to run sudo touch /etc/hosts.deny right before starting the service. Otherwise it threw an error that the file did not exist and closed. With the touch, all went fine. That fix was listed in this bug report.

A few other notes:
  • If you have not done so, be SURE to change this line in /etc/ssh/sshd_config:
    • PermitRootLogin no
  • While editing /usr/share/denyhosts/denyhosts.cfg according to the tutorial, I recommend (following others posting this tip) to also change this line:
    • BLOCK_SERVICE = ALL. Also, of course, comment the line: BLOCK_SERVICE = sshd. This blocks access on all ports to IPs that get denied. And really, if you want to block a potentially malicious IP from SSH access, why give them access to other services?


Post a Comment

Subscribe to Post Comments [Atom]

<< Home