Distributed brute force ssh attacks [LWN.net]

Distributed brute force ssh attacks

Posted Nov 17, 2009 8:34 UTC (Tue) by Brenner (subscriber, #28232)
In reply to: Distributed brute force ssh attacks by cortana
Parent article: Distributed brute force ssh attacks

> You have to have a process continuing to run in the background; if it somehow crashes then you lose the protection.

With DenyHosts, you do not have to have a daemon running. You do not even have to use or change iptables rules. You can do all you want with tcpwrappers using the relatively unknown spawn feature.

If ssh comes from an authorized IP (listed in /etc/hosts.allow): allow sshd to ask password.
If ssh comes from a banned IP (listed in eg /etc/hosts.blocked): close connection right away.
If ssh comes from another IP, spawn a denyhost process (just for this connection) that will update the list of banned IPs. Then allow sshd to ask password

It boils down to
1) adding known good IPs to /etc/hosts.allow (to avoid being locked out):
sshd:some.good.ip.address
2) adding these two lines to /ets/hosts.deny (with denyhosts configured to update the file /etc/hosts.blocked)
sshd:/etc/hosts.blocked
sshd:ALL:spawn /usr/bin/denyhosts.py --purge -c /etc/denyhosts.cfg: allow

This works very well and looks pretty clean to me.

Reference:
http://pubnotes.wordpress.com/2007/10/14/securing-ssh-wit...
after the paragraph starting with "Eventually, I found a hack to realize it. It is quit simple."

Best Regards,
Antoine

(Log in to post comments)