While I knew that brute-force attacks on SSH servers are very common, I had not taken the time to look at the connection attempt logs on my home servers until recently. To do that on Ubuntu run:
1 | sudo tail -n 100 /var/log/auth.log | grep sshd |
I was seeing attempts every few seconds for some periods, mostly on non-standard ports!
So far as I knew, no one had gotten through, but why risk the worry. Instead I installed DenyHosts. DenyHosts is a Python script that watches your auth.log, and adds IPs that repeatedly try and fail to connect to the /etc/hosts.deny list, effectively denying them future access.
It’s rather easy to install. There is a package in the repos, but I was unable to get this to work on my servers for some reason (it is still in testing). [EDIT, 2009-08-03: In setting up a new server running Jaunty, I installed from the repo. It worked without issue.] I instead followed this handy tutorial.
It worked flawlessly, with one exception. I had to run
1 | sudo touch /etc/hosts.deny |
right before starting the service. Otherwise it threw an error that the file did not exist and closed. With the touch, all went fine. That fix was listed in this bug report.
In addition, while editing /usr/share/denyhosts/denyhosts.cfg according to the tutorial I recommend you also change this line:
1 | BLOCK_SERVICE = sshd |
to
1 | BLOCK_SERVICE = ALL |
This specifies the port to block per IP denied. Instead of just blocking a potentially malicious IP from SSH access, this blocks them from all other services.
No related posts.
Related posts brought to you by Yet Another Related Posts Plugin.
