People use the brute force ssh method to try and gain access to your machine. I did it once, just to see what would happen, on a honeypot, and they put an irc controlling bot on there. ghey.
denyhosts works by monitoring your /var/log/secure (or whatever file on your OS, it's /secure on mine -- running Fedora on this box), for brute force attacks to one of two things, either brute force to accounts that don't exist, or brute force to the root account.
The root account gets ONE bad try. (you can set these thresholds in the /usr/local/denyhosts/denyhosts.cfg), after that one bad try you are added to the /etc/hosts.deny file and are forever ignored. Unknown accounts, by default, get 5 bad tries, well I thought that was too much, so I changed that a bit).
After they are added to the /etc/hosts.deny, you can either configure 'denyhosts' to ignore them for all services "all:
# wc -l /etc/hosts.deny
2380 /etc/hosts.deny
2380 lines (figure some of that is commenting, so, maybe 2300+ hosts) are denied here. (that's alot of hosts)
You can also have it purge old hosts. after 'x' number of days (again, set in the cfg file) it will expire the old host. If they come back, they'll be readded.
It will send you an email as well to whatever account you want it to, to tell you tha someone has tried an attempt against your machine, and therefore has been denied, why last night I received this email:
From: DenyHosts
To: root@localhost.localdomain
Subject: DenyHosts Report
Date: Tue, 20 Jun 2006 19:51:18 -0400
Added the following hosts to /etc/hosts.deny:
58.6.117.217 (dsl-58-6-117-217.qld.westnet.com.au)
This system seems to work pretty well. Give it a shot.
No comments:
Post a Comment