Saturday, August 18, 2007

Stop trying to login through my ssh

Yesterday I got to annoyed on all the brute force attacks against my computers ssh-server. I know that I am definitely not alone. To prevent brute force attacks on ssh I installed denyhosts. Denyhosts log all login attempts logged in /var/log/auth.log and blocks IP-addresses that tries to login but fails repeatedly.

To install denyhosts on ubuntu you have to activate universe and then just select the denyhosts package. Then you are ready, the package starts the application automatically. No configuration needed. But, denyhosts have a nice feature that you can upload your blocked IP-addresses to a server on the net and download what addresses other blocks. This feature is not activated by default. To activate it remove the #-char from the line in /etc/denyhosts.conf:
#SYNC_SERVER = http://xmlrpc.denyhosts.net:9911

Then restart the server: sudo /etc/init.d/denyhosts restart

24h later denyhosts block more than 1400 IP-addresses.

3 comments:

Hans Persson said...

Sounds useful. Now installed.

Erik Forsberg said...

Personally, I use fail2ban instead. It's on a slightly lower level (it uses iptables instead of /etc/hosts.deny), which can be seen as a feature :-).

I don't know if it has any remote IP address fetcher features, though.

Hans Persson said...

For me, ease of installation is a high priority. I especially like things like this when someone else tells me exactly how to install stuff I didn't even know I needed.