While I was looking for some security tools recently I had come across DenyHosts.
DenyHosts is a Python script that will allow you to monitor a Linux system for failed SSH logins and add to their IP address to /etc/hosts.deny based on the number of failed attempts. ( This assumes you have set up your SSH install to be protected by TCP wrappers. )
One of the nice features about this script is that you can set different limits for the number of allowed failed logins for the root user, users that do not exist on this system, and users that do exist.
Installing this software was very easy as it was available as "apt-get install denyhosts".
Configuring the script was also very easy and didn't take more than about 10 minutes or so to read through the configuration file and set a few parameters that the author documents very well.
After that I just set up the script to be run from Cron every 5 minutes or so:
and Denyhosts was all ready to go.
As an example, you can see in on the secure log ( /var/log/auth.log on my system), the users Devil, bob, hacz0r, root, and loot have failed login attempts from 1.2.3.4:
Jun 11 15:51:05 RuleNumber1 sshd[1113]: Failed none for invalid user Devil from 1.2.3.4 port 35722 ssh2
Jun 11 15:51:06 RuleNumber1 sshd[1113]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=1.2.3.4
Jun 11 15:51:08 RuleNumber1 sshd[1113]: Failed password for invalid user loot from 1.2.3.4 port 35722 ssh2
Jun 11 15:51:18 RuleNumber1 sshd[1117]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=1.2.3.4 user=root
Jun 11 15:51:20 RuleNumber1 sshd[1117]: Failed password for root from 1.2.3.4 port 46446 ssh2
Jun 11 15:51:26 RuleNumber1 sshd[1117]: Failed password for root from 1.2.3.4 port 46446 ssh2
Jun 11 15:51:30 RuleNumber1 sshd[1117]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=1.2.3.4 user=root
Jun 11 15:51:41 RuleNumber1 sshd[1121]: Failed password for invalid user hacz0r from 1.2.3.4 port 41470 ssh2
Jun 11 15:51:53 RuleNumber1 sshd[1121]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=1.2.3.4
Jun 11 16:05:21 RuleNumber1 sshd[1177]: pam_unix(sshd:auth): authentication failure; logname=
and a few minutes later we see that deny hosts has done its job and added the IP address to our deny file:
cmd#cat /etc/hosts.deny
sshd: 1.2.3.4
Another nice feature of DenyHosts is that you can use synchronization mode, where you are accepting information about IP addresses that have been blocked for other users' hosts and/or (it's configurable) upload the IP addresses you have blocked, in a sense collaborating on a large black list of IP addresses.
All in all this was very easy to install and configure, there is one main configuration file this easy to understand and it is well commented.
Deny hosts makes a nice addition to add another level of security to your SSH setup, and I'd suggest adding this to your toolkit.
0 comments:
Post a Comment