|
UnixReview.com
August 2005
Tool of the Month: DenyHosts
by Joe "Zonker" Brockmeier
If you've ever looked through /var/log/secure or /var/log/auth.log
(or whatever log file sshd logs to) on a public-facing system,
you've probably noticed a number of failed login attempts for users that don't
exist. Sometimes you'll even find dozens or even hundreds of failed login attempts
— a sure sign that someone is attempting to access the system by brute-force
attacks, trying to find a username and password combination that will give them
access to your system.
If you use secure passwords, the odds of this succeeding are pretty slim — but why take chances? There are a number of things you can do to mitigate this problem — one is to block only a few known hosts to connect via SSH, but this means that you need to know where your users are going to be connecting from. This isn't always practical or possible.
Another approach is to have SSH listen on a non-standard port. I'm not a big fan of this approach, really, because it tends to complicate matters and causes problems for users when they're in an unfamiliar environment behind a firewall.
Another option is to block login attempts after a specific number of failed logins. That's where DenyHosts comes in. DenyHosts is a Python application that monitors the authentication logs and writes IPs to /etc/hosts.deny once a host exceeds the threshold for failed login attempts. At this point, the offending host cannot even attempt to authenticate via SSH until it is removed from /etc/hosts.d
|
