Weblog entry #2 for MrFusion
See all weblog entries made by MrFusion.
If you run SSHD (Secure Shell Daemon) on your machine (which might be there by default and never explicity denied all outside traffic other than select IP's from gaining access, and you leave port 22 open to the world wide web, then try this command:
sudo grep sshd /var/log/auth.log(Or, if you're already root, don't bother with using sudo.)
You may be surprised to find hundreds of lines describing failed attempts from various IP's from all around the world trying to log into your machine via SSH. Some may even have tried hundreds of logins just by themselves, using a dictionary attack. Running a whois on these addresses will often trace back to China or Korea, and emailing their ISP's abuse dept. is generally useless.
Now, if you're savvy enough when setting up your system, then you will have not used obvious names (like 'Joe') unless you tied them to very long and complicated passwords. Even if your login names aren't obvious, you should still have used very long and complicated passwords. And you will have set an especially difficult and complicated password for root. So if this is the case, your system is already fairly safe from dictionary attackers. (They're generally script kiddies and will give up and move on after a while.)
So even if your system is fairly bullet-proof in the login department, it's still fairly unsettling to just let it take repeated abuse from dictionary attackers. If you don't even use SSH to sign into your computer, then kill and disable SSHD. If you only ever sign onto it from specific IP addresses, then block all SSHD traffic with the exception of those IP's in your /etc/hosts.deny file. But if you like to keep it open for friends or your own general use from a school campus (or whatever), then you want to make it available. That is where DenyHosts comes in.
DenyHosts is a highly configurable program written in Python which can either be executed manually or via Cron, or can be run 24/7 as a daemon. Basically, it checks up on your /var/log/auth.log file periodically. It recognizes fishy activity from the log, picks up on malicious IP's and then automatically adds them to the /etc/hosts.deny file. Any IP listed in there will be actively ignored by your computer from then and on.
You can download that script from the webpage (linked above) and simply run an included Python script to install it. Or, if you're cool and you use Debian (or a derivative thereof), you can simply say:
sudo apt-get install denyhosts(Drop the sudo if you're root.)
If you use the apt-get way, then it will automatically create a useful man page and will set itself up in /etc/inet.d so that you can easily start and stop the DenyHosts daemon. It also creates the config file (/etc/denyhosts.conf). In the config, you can specify all kinds of options (especially if you choose to run it in daemon mode, which I prefer). You can adjust tolerence levels (how many times someone fails to log in before it gives them the boot) and how often it checks the logfile (default 30 seconds). It can be set up to synchronize itself with the designer's central server so that you can also block out IP's that other people's computers have blocked. (I keep this disabled, which is default, since that would be a frighteningly huge hosts.deny file.)
Anyway, it works like a charm. As of writing this, my personal server has blocked 46 separate IP's in the past two weeks... very impressive. It's a bullet-proof machine as it is, but I like the satisfaction of watching it weed out all the losers who try to break in. You can check out a list of all the IP's my system has blocked using DenyHosts through the following link: http://www.tarlus.net
There are tons more features that go with DenyHosts, but I'd end up with an all-out HowTo if I type anything more about it. Heck, this is more of a HowTo than it is a blog. Oh well, I wanted to write it; I hope people will find this to be useful! At the very least, I hope more people will become aware of all the unsetting things that show up in their auth.log files!
Comments on this Entry
--
"It's Not Magic, It's Work"
Adam
[ Parent | Reply to this comment ]
Debian's kernel are distribuited with this one enabled, but many Sysadmin rebuild it's own kernel and not all wan't netfilter support on a system that'snt a firewall.
bye,
--
Marco Bertorello
[ Parent | Reply to this comment ]
[ Send Message | View Steve's Scratchpad | View Weblogs ]
I've been using this for a while now on my hosts, and find it very good. The only downside is that I run Sarge so I have to install from source.
Nice tool. Though the documentation was a bit hard to read - it took me far too long to work out how to add an IP address as whitelisted!
[ Parent | Reply to this comment ]
You can whitelist IP's by creating a file called 'allowed-hosts' in your WORK_DIR (/var/lib/denyhosts is default the apt installation). Just add one IP per line. Took me a while to find out how that was done. :)
If you think it would be worthwhile for the site, I'd be glad to write a more cleary-written HowTo for installing via source and how to do more tricky things like whitelisting.
-MrFusion
[ Parent | Reply to this comment ]
[ Send Message | View Steve's Scratchpad | View Weblogs ]
I definitely think it is useful, especially if you could make it Debian-specific.
I did have a quick look for a guide and found this one earlier.
(On my source-install I use - via cfengine.)
[ Parent | Reply to this comment ]
Thanks
[ Parent | Reply to this comment ]
[ Send Message | View Steve's Scratchpad | View Weblogs ]
Yes via the howto I linked to above from the original .tgz file.
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
[ Send Message | View Steve's Scratchpad | View Weblogs ]
Yes you can configure it to:
- Reset a count after a period of hours/days.
- Also reset the count after a successful login.
- Or just white-list particular IPs.
The second means you can fail a login, login and then repeat that process lots of times and not get banned. Handy if you always mistype your password first thing in the morning like me!
[ Parent | Reply to this comment ]
I recommend that the malicious IP's be permanently banned, because I've watched a few of them attempt to log back again many days later to see if their ban was lifted. Unfortunately for them, it wasn't. :)
-MrFusion
[ Parent | Reply to this comment ]
In addition, DenyHosts has a centralized blacklist that you can submit offending IPs to and download malicious IPs from.
I've been very happy with DenyHosts for a while now.
[ Parent | Reply to this comment ]
This machines never had ANY connection on sshd using very high ports.
DenyHosts can't save you from a remote exploit, but change to a very high port, or setting your firewall to allow connections on port 22 only from a fixed list of hosts can save your day.
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
[ Send Message | View Steve's Scratchpad | View Weblogs ]
I'd suggest not, if only because paranoid people wouldn't trust it anyway!
I do notice that the most recent version of DenyHosts have the option of uploading and downloading blacklists centrally already - so it people wish to get a blacklist they can do it just by using the configuration file ..
[ Parent | Reply to this comment ]