Mar 14 2008

Block SSH brute force attacks with DenyHosts

Published by Jon at 10:27 pm under Linux

If you are like me and you have a server with ssh port opened to the internet, you probably know that many crackers regularly attempt to gain access to your server. For me, there are on average 4 to 6 attacks from different IPs each day on my ssh port. I’ve seen automated brute force attacks last for several hours before giving up. This is annoying because it uses bandwidth and also because every time an attempt is made, it is written in the auth.log file and my hard disk is actually a little noisy.

While I know it is very improbable that a cracker would successfully brute force my passwords (because they are not trivial at all), I still wanted to do something about it. I searched and found DenyHosts. DenyHosts is a python script that will run as a daemon and will monitor in real-time the ssh log file (/var/log/auth.log on Debian) to find attacks. When an attack is found, it will be blocked by adding the IP to the hosts.deny file for ssh only.

To install it on Debian:

# apt-get install denyhosts

An interesting feature is that it can download a list of IP from a central database that are known to be crackers so those will actually be blocked before the cracker even does a first attempt. If you wish, the script can also automatically contribute to that list by uploading IPs that attempted to crack your server. There are other nice config options like the number of attempts before the IP is flagged as a cracker, the number of days that the IP will remain blocked, etc.

To change the configuration:

# vi /etc/denyhosts.conf

Then restart it:

# /etc/init.d/denyhosts stop
# /etc/init.d/denyhosts start

As soon as I installed it, it started to block crackers and my hears had a little break. After few weeks with it, it also reduced the size of the auth.log file quite a lot. This is a sample of a deny.hosts file with entries added by DenyHosts:

# DenyHosts: Mon Mar 10 01:52:13 2008 | sshd: 200.25.207.210
sshd: 200.25.207.210
# DenyHosts: Mon Mar 10 02:17:16 2008 | sshd: 200.13.255.32
sshd: 200.13.255.32
# DenyHosts: Mon Mar 10 14:47:45 2008 | sshd: 190.144.140.83
sshd: 190.144.140.83

One response so far

One Response to “Block SSH brute force attacks with DenyHosts”

  1. Chips says:
    March 19, 2010 at 11:43 pm

    i’m often bumping about the online world almost all of the day and so I have a propensity to read quite a bit, which is not generally a beneficial option as some of the internet sites I see are composed of useless crap copied from several other sites a thousand times, but I gotta say this blog is in actual fact decent and even supplies some authentic content, so many thanks for helping to stop the pattern of solely duplicating other folks’ websites :)

Leave a Reply