If you are like me you may be running a few Linux servers that are exposed to the Internet. To manage them you have probably enabled ssh login and opened up your firewall for such traffic. Maybe you have been thinking of the risk of being attacked and perhaps you have glanced at /var/log/auth.log. Chances are that you then realised that the Internet is not the friendly place it used to be.
Now, the risk of this may be minor. Naturally you are using complex passwords (who are not?) and of course you have disabled any logins by the root account. Naturally, you use certificates instead of passwords when logging in remotely. And while on the subject – may I add a feature request for openssh to restrict remote login using password on the basis of IP range?
So, I had done all that and still felt a little uneasy. Then I found the project Denyhosts. It is a Python based tool written by Phil Schwartz that tails the auth.log file, acting on multiple incorrect logins from the same host. Suspicious hosts are added to /etc/deny.hosts so that they can’t even connect to the ssh server.
I have been running the script on two computers for a couple of weeks. On average, one or two attackers are caught each day. Currently I am running both systems stand-alone but shortly I may join up with the large number of sites that aggregate attacker information to foil them before they even start attacking my machines.
Denyhosts is not new. In fact, the latest release is almost two years old. But it is small, can be configured in a jiffy and gets the job done. To install on a Ubuntu box, just type “sudo apt-get install denyhosts”.
Good job, Phil!