I know there are a few of you out there that admin linux boxes either for hobby or work, so I thought I’d pass this along…
If you pay any attention to your syslogs at all (which you should), you’ll already know this, but in the last year or so, the occurrance of SSH brute force attacks has gone up significantly. For the non-geek (a.k.a. people who have lives), SSH is a way of gaining access to a server remotely. For instance, the server I rent is actually in San Diego – so when I need to change something, I can’t just waltz up to it, turn the monitor on, and make the change. I have to run a program on my laptop called an SSH client which I use to connect over the internet to my server. Once the connection is made, all communications between the server and client are encrypted. Now – what’s this brute force you speak of? I’ll explain. There are many people around the world whose goal in life is to create as much mischief as possible – on the internet, this mischief often comes in the form of hacking attempts. Brute force attacks are a type of “hacking”. Basically, when someone launches a brute-force ssh attack, they try an arbitrary list of common usernames in combination with weak passwords. In server logs, it’s brutally obvious when an attack like this happens. See this for an example of what these attacks look like in the server logs. You can see that they’re just trying random usernames. 99% of the time, these attacks fail, fortunately, but every once in a while, they succeed in breaking into your system. Once that happens, they usually take over your server and use it for sending spam, viruses, etc. Not good – the end result after you discover you’ve been had is a server re-installation.
There are many ways to thwart these attacks – running sshd on a non-standard port, disabling password auth, implementing port knocking, etc. None of these options are acceptable for someone in my position, though, who has several (non-technical) users who need remote access into the machine to update websites, check email, and so on.
Enter DenyHosts. It’s a fairly simple python script written by a guy named Phil Schwartz. Put simply, DenyHosts runs periodically on the server, reading through the system logs. If it detects a brute-force attack, it adds the offending computer’s IP address to the /etc/hosts.deny file. This effectively cuts off all access to the server from that computer. Problem solved. Oh, and it also is able to send email to me when it detects an attack.
I was actually about mid-way through the process of writing a perl script to do just this when I stumbled upon DenyHosts. I gave it a try, and it worked just as advertized, so I figured it wasn’t worth re-inventing the wheel. That’s why I love open-source software. For the great majority of problems, there’s an open-source app that will get you ninety percent of the way to solving your problem, just requiring a bit of tweaking to bring the solution to completion.
So anyway – if you run a publicly-accessible *nix box w/ SSH available, I’d highly recommend you give DenyHosts a try. It really sets your mind at ease – not having to worry that some script kiddie is going to own your box.
Recent Comments