Pages

Wednesday, June 21

denyhosts is in python.. but it still works

For awhile now i've been running a nice program by the name of 'denyhosts'. For those of you that have a server somewhere on the internet with port 22 open, you know what I am talking about when I say 'see all those brute force ssh attacks?!'.

People use the brute force ssh method to try and gain access to your machine. I did it once, just to see what would happen, on a honeypot, and they put an irc controlling bot on there. ghey.

denyhosts works by monitoring your /var/log/secure (or whatever file on your OS, it's /secure on mine -- running Fedora on this box), for brute force attacks to one of two things, either brute force to accounts that don't exist, or brute force to the root account.

The root account gets ONE bad try. (you can set these thresholds in the /usr/local/denyhosts/denyhosts.cfg), after that one bad try you are added to the /etc/hosts.deny file and are forever ignored. Unknown accounts, by default, get 5 bad tries, well I thought that was too much, so I changed that a bit).

After they are added to the /etc/hosts.deny, you can either configure 'denyhosts' to ignore them for all services "all:" or, by default just ssh "ssh:". It will then (if you tell it to, it doesn't do this by default), sync with some master denyhosts server, where, if you choose to, will upload your entry, and download all of their entries for inclusion into your /etc/hosts.deny. Denying all the hosts that others have uploaded as well. I have this option enabled, and now with:

# wc -l /etc/hosts.deny
2380 /etc/hosts.deny

2380 lines (figure some of that is commenting, so, maybe 2300+ hosts) are denied here. (that's alot of hosts)

You can also have it purge old hosts. after 'x' number of days (again, set in the cfg file) it will expire the old host. If they come back, they'll be readded.

It will send you an email as well to whatever account you want it to, to tell you tha someone has tried an attempt against your machine, and therefore has been denied, why last night I received this email:

From: DenyHosts
To: root@localhost.localdomain
Subject: DenyHosts Report
Date: Tue, 20 Jun 2006 19:51:18 -0400

Added the following hosts to /etc/hosts.deny:

58.6.117.217 (dsl-58-6-117-217.qld.westnet.com.au)


This system seems to work pretty well. Give it a shot.

No comments: