Introduction
If you have any servers that are running SSH and listening on a public net connection, its a good idea to prevent against dictionary attacks, since they are the simplest way to gain entry. You can get an idea of who is connecting or attempting to connect by viewing your ssh log which is located at /var/log/secure on Redhat or /var/log/auth.log on Debian.
There is an easy tool that you can install to deal with this attack called DenyHosts. It basically monitors these log files and then if it finds a potential attacker based on your threshold it will add them to the /etc/hosts.deny file to prevent them from brute forcing your system.
Getting DenyHosts
DenyHosts can be found here on Sourceforge
We’ll grab the tarball
$ wget \ http://internap.dl.sourceforge.net/sourceforge/denyhosts/DenyHosts-2.6.tar.gz
Extract and install
$ tar xzvf DenyHosts-2.6.tar.gz $ cd DenyHosts-2.6 $ sudo python setup.py install
This installs it into /usr/share/denyhosts so we’ll change directory
$ cd /usr/share/denyhosts
Copy the default config
$ sudo cp denyhosts.cfg-dist denyhosts.cfg
We need to set a few values in this file. The default values are for RedHat and this is how it looks on Debian
SECURE_LOG = /var/log/auth.log LOCK_FILE = /var/run/denyhosts.pid
You may also want to set the DENY_THRESHOLD_INVALID and DENY_THRESHOLD_VALID values, which controls the threshold of failed login attempts for fake and real users respectively.
Now we need to setup the script that controls the deamon that does the work. There is a default one available so we can copy that
$ sudo cp daemon-control-dist daemon-control
There is only one value to change here on Debian
DENYHOSTS_LOCK = "/var/run/denyhosts.pid"
Now symlink the control script into our bootup scripts folder and add it to start on boot
$ sudo ln -s /usr/share/denyhosts/daemon-control /etc/init.d/denyhosts $ sudo update-rc.d denyhosts defaults
Finally start it up for the first time
$ sudo /etc/init.d/denyhosts start
If you haven’t changed the default you can find the logs in /var/log/denyhosts if you want to see what its doing.
Conclusion
We’ve pretty quickly setup a tool to defend against brute force attacks. Its easy to configure and also supports email, smtp, and syslog notifications. This is a tool everyone should install for any servers that have SSH listening on the Internet.
May 8th, 2009 at 11:40 AM
I decided to use sshutout, http://www.techfinesse.com/sshutout/sshutout.html, for the same purpose. Instead of adding to denyhosts, it sets up iptables rules. It also supports whitelists, in case you do something stupid one day from your own management ip.