Protection against ssh bruteforce attacks

April 15, 2007

Everyone that has set up a ssh server on a computer connected to the Internet has probably their log full of random attempts from foreign hosts with failed login attempts. Even if the probability that they will succeed is close to zero it would feel to good to have an automated way to block hosts that have failed a few times to the ssh server.

Personally for my own computer at home I never felt that it was such a big problem that I took myself time to find a solution for it. But when we had a LOT of bruteforce attacks to the ssh server at work it felt worth doing something about the potential security hole. I googled it for a while and finally found DenyHosts (http://denyhosts.sourceforge.net/), a very simple program that parses /var/log/auth.log in a Debian system or /var/log/messages in a Gentoo system and adds rules to /etc/hosts.deny when a host has too many failed attepts to login to the server. Really simple but still so useful.

DenyHosts is available in the package system for both Debian and Gentoo, both works fine. Actually, I have installed DenyHosts on more or less every computer I have now :). Every now and then I get mail from the server saying it has blocked yet another host from log in. Have so far 16 hosts blocked in about just 2-3 days. Why don't you give it a try?

Comments

RSS feed for comments on this post.

The URI to TrackBack this entry is: http://www.kozz.org/bblog/trackback.php/17/

Leave a Comment

Sorry, Comments have been disabled for this post