Denyhosts is a must have if you run secure shell

If you run secure shell you absolutely must run DenyHosts along with it. Secure Shell has been under security attack recently by random username/password probe attempts. Hopefully your secure shell server is good enough to leave entries such as


Aug 7 20:30:12 little sshd[1574]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=zorch.cc.gt.atl.ga.us user=root
Aug 7 20:30:14 little sshd[1574]: Failed password for root from 199.77.128.210
port 32824 ssh2

(from debian unstable, completely updated as of now)
or

Aug 8 10:01:08 localhost sshd[8569]: Invalid user 1 from 61.55.139.3
Aug 8 10:01:14 localhost sshd[8571]: Invalid user a from 61.55.139.3
Aug 8 10:01:20 localhost sshd[8573]: Invalid user a from 61.55.139.3
Aug 8 10:01:25 localhost sshd[8575]: Invalid user abuse from 61.55.139.3
Aug 8 10:01:30 localhost sshd[8577]: Invalid user abuse from 61.55.139.3
Aug 8 10:01:39 localhost sshd[8579]: Invalid user abuse from 61.55.139.3
Aug 8 10:01:44 localhost sshd[8581]: Invalid user academia from 61.55.139.3
Aug 8 10:01:54 localhost sshd[8583]: Invalid user academia from 61.55.139.3

(from Ubuntu breezy, completely updated as of now)

if you have these log entries, DenyHosts can parse your log and add them to your hosts.deny list. It is very easy to download and configure. It runs via cron as often as you configure it.

It would be great if we had a centralized “bad guys” list of hosts doing these evil scans ala d-shield or rbls.

I’m making mine available. You can watch it grow.

My hosts.deny

I can also compare lists between two systems with a simple command:

computer1$ grep -v "^#" /etc/hosts.deny | sort -n >/tmp/a ; ssh Computer2 grep -v "^#" /etc/hosts.deny | sort -n | diff -u /tmp/a -

Now to automate merging the differences.

4 thoughts on “Denyhosts is a must have if you run secure shell”

  1. Sounds like an ugly, pointless hack to me. If they’re not getting in, what’s the problem? There’s only 1 attempt every 5-10 seconds. It would take them an eternity to guess anything.

  2. The only problem I have with DenyHosts is that if you already have a hosts.deny file with items in it, there doesn’t seem to be a way to put the ssh deny rules at the top of the file. If you have rules that contradict the DenyHosts entries they will show up above the DenyHosts stuff and cancel them out.

  3. DenyHosts 2.x added synchronization mode such that attacke to your server will (optionally) be uploaded to the central DenyHosts server. Attacke to other servers will (optionally) be downloaded by your DenyHosts instance.
    http://www.denyhosts.net/sync.html

    Also, DenyHosts can add entries to a file other than /etc/hosts.deny such as /etc/hosts.denyhosts. Such that entries will not conflict with any local rules.
    http://www.denyhosts.net/faq.html#aux

    Phil

  4. DenyHosts 2.x added synchronization mode such that attacks to your server will (optionally) be uploaded to the central DenyHosts server. Attacks to other servers will (optionally) be downloaded by your DenyHosts instance.
    http://www.denyhosts.net/sync.html

    Also, DenyHosts can add entries to a file other than /etc/hosts.deny such as /etc/hosts.denyhosts. Such that entries will not conflict with any local rules.
    http://www.denyhosts.net/faq.html#aux

    Phil

Comments are closed.