Strict Standards: Declaration of Walker_Comment::start_lvl() should be compatible with Walker::start_lvl(&$output) in /home/drkaos/ on line 0

Strict Standards: Declaration of Walker_Comment::end_lvl() should be compatible with Walker::end_lvl(&$output) in /home/drkaos/ on line 0

Strict Standards: Declaration of Walker_Comment::start_el() should be compatible with Walker::start_el(&$output) in /home/drkaos/ on line 0

Strict Standards: Declaration of Walker_Comment::end_el() should be compatible with Walker::end_el(&$output) in /home/drkaos/ on line 0

Warning: session_start(): Cannot send session cookie - headers already sent by (output started at /home/drkaos/ in /home/drkaos/ on line 121

Warning: session_start(): Cannot send session cache limiter - headers already sent (output started at /home/drkaos/ in /home/drkaos/ on line 121

Strict Standards: Redefining already defined constructor for class ftp_base in /home/drkaos/ on line 56

Strict Standards: Redefining already defined constructor for class ftp in /home/drkaos/ on line 8

Strict Standards: Redefining already defined constructor for class WP_Dependencies in /home/drkaos/ : runtime-created function(1) : eval()'d code(1) : eval()'d code on line 1
Hey, your SSH is showing | kaos.theory: fractal blog

Hey, your SSH is showing

Saw an interesting submission by Chuck Talk at RootPrompt the other day about DenyHosts, a tool to prevent repeated attacks against public SSH services running on your servers.

Apparently someone had plenty of time to try to login, and was not deterred by repeated login failure. That set me on a course to find a solution that was simple, effective and enough of a barrier to the attacker that they would move on out of frustration, or simply be denied enough that they would find easier targets.

That search led me to find DenyHosts, a simple and elegant solution that works with a minimal configuration effort and is small, quick and clean. The ease of installation and operation make this an effective solution to annoying SSH attackers, and one that you should consider if you are using SSH services.

In essence, DenyHosts is a simple python script, watching logs for entries that might indicate obviously malicious and/or suspicious login attempts. From the FAQ:

DenyHosts then processes the sshd server log (typically, this is /var/log/secure, /var/log/auth.log, etc) and determines which hosts have unsuccessfully attempted to gain access to the ssh server. Additionally, it notes the user and whether or not that user is valid (eg. has a system account) or invalid (eg. does not have a system account).

When DenyHosts determines that a given host has attempted a configurable number of attempts (this is known as the deny_threshold), DenyHosts will add that host to the /etc/hosts.deny file. This will prevent that host from contacting your sshd server again.

Also, DenyHosts will note any successful logins that occurred by a host that has exceeded the deny_threshold. These are known as suspicious logins and should be investigated further by the system admin.

Share and Enjoy:
  • Technorati
  • Digg
  • Facebook
  • TwitThis
  • Slashdot
  • StumbleUpon
  • Google
  • Pownce
  • Reddit
  • Fark
  • Ma.gnolia

3 Responses to “Hey, your SSH is showing”

  1. Juanjo Says:

    Under *BSD an using Packet Filter you can use:
    SSH Scanner Blocker (python also):
    ssh_blocker (script shell):

    Both are easy to adapt to iptables (and second one is interesting because doesn’t need python).

  2. dr.kaos Says:

    Thanks for the pointers, Juanjo, I’ll check both of these out.

  3. Moshto Says:

    Your site make a good reading! (got here via /. book review yesterday)

    I can also recommend these 2 for fencing off sshd scans / dictionary attacks:


    scans syslog/auth.log for failed login attempts and puts offending hosts in your firewall. also works with authentication modules for apache etc


    RBL listing via pam

Leave a Reply

By submitting a comment here you grant this site a perpetual license to reproduce your words and name/web site in attribution.