Ok, so someone out there if trying to connect to your machine through SSH (brute force against common login names like "john, owen, claire, etc"). Not sure people are trying to get into your machine? Why don't you check?:
echo `cat /var/log/auth.log|grep sshd|grep "Invalid user"|wc -l` invalid SSH login attempts
Your password is secure right? They don't guess your username, right? Well, it doesn't hurt to block them anyway, and now it's easy thanks to denyhosts.py!
Here's a quick overview of how to get to my setup:
- Download denyhosts-0.6.0.tar.gz from http://sourceforge.net/project/showf...roup_id=131204
- Extract downloaded file using file-roller or tar -xzvf denyhosts-0.6.0.tar.gz
- Copy denyhosts.py to /usr/bin
sudo cp denyhosts.py /usr/bin
and sudo chmod 755 /usr/bin/denyhosts.py- denyhosts.cfg-dist is the default config, you can use mine below for some decent default options, put this in /etc/denyhosts.cfg
Code:# SECURE_LOG: the log file that contains sshd logging info SECURE_LOG = /var/log/auth.log # HOSTS_DENY: the file which contains restricted host access information HOSTS_DENY = /etc/hosts.deny # BLOCK_SERVICE: the service name that should be blocked in HOSTS_DENY # man 5 host_access for details # BLOCK_SERVICE = ALL # To block only sshd: #BLOCK_SERVICE = sshd # DENY_THRESHOLD: block each host after the number of failed login # attempts has exceeded this value. DENY_THRESHOLD = 5 # WORK_DIR: the path that DenyHosts will use for writing data to # (it will be created if it does not already exist). WORK_DIR = denyhosts # SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES|NO # If set to YES, if a suspicious login attempt results from an allowed-host # then it is considered suspicious. If this is NO, then suspicious logins # from allowed-hosts will not be reported. All suspicious logins from # ip addresses that are not in allowed-hosts will always be reported. SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=NO # HOSTNAME_LOOKUP=YES|NO # If set to YES, for each IP address that is reported by Denyhosts, # the corresponding hostname will be looked up and reported as well # (if available). HOSTNAME_LOOKUP=YES # ADMIN_EMAIL: if you would like to receive emails regarding newly # restricted hosts and suspicious logins, set this address to # match your email address. If you do not want to receive these reports # leave this field blank (or run with the --noemail option) ADMIN_EMAIL = root SMTP_HOST = localhost SMTP_PORT = 25 SMTP_FROM = DenyHosts@localhost.localdomain SMTP_SUBJECT = DenyHosts Report- Let's test it: sudo denyhosts.py -c /etc/denyhosts.cfg
- Now we add it to root's crontab to run periodically:
export EDITOR=nano (Optional, some systems open vi, pico's a little simpler)
sudo crontab -e
Code:0,20,40 * * * * /usr/bin/denyhosts.py -c /etc/denyhosts.cfg
This howto was inspired by http://rootprompt.org/article.php3?article=8735
Be forwarned, if you mistype your password too many times, you could lock one of your own computers out
It wouldn't hurt to look over the FAQ for denyhosts.py either: http://denyhosts.sourceforge.net/faq.html
Bookmarks