If you run secure shell you absolutely must run DenyHosts along with it. Secure Shell has been under security attack recently by random username/password probe attempts. Hopefully your secure shell server is good enough to leave entries such as
Aug 7 20:30:12 little sshd: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=zorch.cc.gt.atl.ga.us user=root
Aug 7 20:30:14 little sshd: Failed password for root from 220.127.116.11
port 32824 ssh2
(from debian unstable, completely updated as of now)
Aug 8 10:01:08 localhost sshd: Invalid user 1 from 18.104.22.168
Aug 8 10:01:14 localhost sshd: Invalid user a from 22.214.171.124
Aug 8 10:01:20 localhost sshd: Invalid user a from 126.96.36.199
Aug 8 10:01:25 localhost sshd: Invalid user abuse from 188.8.131.52
Aug 8 10:01:30 localhost sshd: Invalid user abuse from 184.108.40.206
Aug 8 10:01:39 localhost sshd: Invalid user abuse from 220.127.116.11
Aug 8 10:01:44 localhost sshd: Invalid user academia from 18.104.22.168
Aug 8 10:01:54 localhost sshd: Invalid user academia from 22.214.171.124
(from Ubuntu breezy, completely updated as of now)
if you have these log entries, DenyHosts can parse your log and add them to your hosts.deny list. It is very easy to download and configure. It runs via cron as often as you configure it.
It would be great if we had a centralized “bad guys” list of hosts doing these evil scans ala d-shield or rbls.
I’m making mine available. You can watch it grow.
I can also compare lists between two systems with a simple command:
computer1$ grep -v "^#" /etc/hosts.deny | sort -n >/tmp/a ; ssh Computer2 grep -v "^#" /etc/hosts.deny | sort -n | diff -u /tmp/a -
Now to automate merging the differences.