kaos.theory: fractal blog

Saw an interesting submission by Chuck Talk at RootPrompt the other day about DenyHosts, a tool to prevent repeated attacks against public SSH services running on your servers.

Apparently someone had plenty of time to try to login, and was not deterred by repeated login failure. That set me on a course to find a solution that was simple, effective and enough of a barrier to the attacker that they would move on out of frustration, or simply be denied enough that they would find easier targets.

That search led me to find DenyHosts, a simple and elegant solution that works with a minimal configuration effort and is small, quick and clean. The ease of installation and operation make this an effective solution to annoying SSH attackers, and one that you should consider if you are using SSH services.

In essence, DenyHosts is a simple python script, watching logs for entries that might indicate obviously malicious and/or suspicious login attempts. From the FAQ:

DenyHosts then processes the sshd server log (typically, this is /var/log/secure, /var/log/auth.log, etc) and determines which hosts have unsuccessfully attempted to gain access to the ssh server. Additionally, it notes the user and whether or not that user is valid (eg. has a system account) or invalid (eg. does not have a system account).

When DenyHosts determines that a given host has attempted a configurable number of attempts (this is known as the deny_threshold), DenyHosts will add that host to the /etc/hosts.deny file. This will prevent that host from contacting your sshd server again.

Also, DenyHosts will note any successful logins that occurred by a host that has exceeded the deny_threshold. These are known as suspicious logins and should be investigated further by the system admin.