TechniTip.Net

Defending Againt SSH Attacks

As soon as you put a server online you will recognize many many attempts accessing the SSH port like these one:
Dec 28 06:48:11 hostname sshd[12258]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=somehost.somewhere
Dec 28 06:48:12 hostname sshd[12256]: error: PAM: User not known to the underlying authentication module for illegal user saman from somehost.somewhere
Dec 28 06:48:13 hostname sshd[12256]: Failed keyboard-interactive/pam for invalid user saman from xx.xxx.xx.xxx port 27751 ssh2
Annoying script kids… An easy method to protect at least a little bit against such attacks is a tool called denyhosts. I use it on all my servers because it’s easy to install. denyhosts automatically blocks ssh attacks by adding entries to /etc/hosts.deny.

Using debian Etch installation is really simple:

apt-get install denyhosts

Next edit /etc/denyhosts.conf and change:

PURGE_DENY = 1w
PURGE_THRESHOLD = 0

and start the daemon:

/etc/init.d/denyhosts start

That’s all. Sure it’s not a perfect solution which helps for everything, but nevertheless it will increase your security.

All you have to to now is wait and check the /etc/hosts.deny Depending on your configuration denyhosts will automatically delete expired entries.