Hey, your SSH is showing

Saw an interesting submission by Chuck Talk at RootPrompt the other day about DenyHosts, a tool to prevent repeated attacks against public SSH services running on your servers.

Apparently someone had plenty of time to try to login, and was not deterred by repeated login failure. That set me on a course to find a solution that was simple, effective and enough of a barrier to the attacker that they would move on out of frustration, or simply be denied enough that they would find easier targets.

That search led me to find DenyHosts, a simple and elegant solution that works with a minimal configuration effort and is small, quick and clean. The ease of installation and operation make this an effective solution to annoying SSH attackers, and one that you should consider if you are using SSH services.

In essence, DenyHosts is a simple python script, watching logs for entries that might indicate obviously malicious and/or suspicious login attempts. From the FAQ:

DenyHosts then processes the sshd server log (typically, this is /var/log/secure, /var/log/auth.log, etc) and determines which hosts have unsuccessfully attempted to gain access to the ssh server. Additionally, it notes the user and whether or not that user is valid (eg. has a system account) or invalid (eg. does not have a system account).

When DenyHosts determines that a given host has attempted a configurable number of attempts (this is known as the deny_threshold), DenyHosts will add that host to the /etc/hosts.deny file. This will prevent that host from contacting your sshd server again.

Also, DenyHosts will note any successful logins that occurred by a host that has exceeded the deny_threshold. These are known as suspicious logins and should be investigated further by the system admin.

3 Responses to “Hey, your SSH is showing”

  1. Juanjo Says:

    Under *BSD an using Packet Filter you can use:
    SSH Scanner Blocker (python also): http://www.e-shell.org/index.py?code=python
    ssh_blocker (script shell): http://blackshell.usebox.net/pub/shell/ssh_blocker.README

    Both are easy to adapt to iptables (and second one is interesting because doesn’t need python).

  2. dr.kaos Says:

    Thanks for the pointers, Juanjo, I’ll check both of these out.

  3. Moshto Says:

    Your site make a good reading! (got here via /. book review yesterday)

    I can also recommend these 2 for fencing off sshd scans / dictionary attacks:

    Fail2Ban: http://www.sourceforge.net/projects/fail2ban

    scans syslog/auth.log for failed login attempts and puts offending hosts in your firewall. also works with authentication modules for apache etc

    pam_abl: http://www.hexten.net/pam_abl/

    RBL listing via pam

Leave a Reply