Categories
General Tool of the Week

DenyHosts

If you have computer on a public-facing IP address, and it runs an SSH server on port 22, chances are pretty good you’ll be subjected to a number of dictionary attacks. Compromised hosts will try to login with a list of common user names and passwords.

Now, this isn’t a problem for most of us, right? We have secure passwords after all, and these attacks are just trying dictionary lists of words – username root, password of ‘password’ or ‘root’, for example. However, they are still annoying – if only because they fill up the logfiles. Also, it’d be better to just not have the connections, just in case they manage to get through.
I recently came across a tool called denyhosts. Denyhosts monitors your ssh log file and modifies /etc/hosts.deny to disallow SSH (or all access to tcpwrapped services) from hosts that have a significant number of failed login attempts. It also has a synchronised mode in which hosts running denyhosts on the internet share their list of denied IP addresses.

I set it up a week or so ago and get an email every couple of hours with a new IP address that has been blacklisted. I also managed to blacklist one of my own IP addresses while testing, which proved hard to remove – denyhosts kept adding the block back in. Fortunately I set it to purge entries after 3 days, so I can now ssh in again :)