Defending Againt SSH Attacks
December 30th, 2008 Category: Linux ServerAs soon as you put a server online you will recognize many many attempts accessing the SSH port like these one:
Dec 28 06:48:11 hostname sshd[12258]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=somehost.somewhere
Dec 28 06:48:12 hostname sshd[12256]: error: PAM: User not known to the underlying authentication module for illegal user saman from somehost.somewhere
Dec 28 06:48:13 hostname sshd[12256]: Failed keyboard-interactive/pam for invalid user saman from xx.xxx.xx.xxx port 27751 ssh2
Annoying script kids… An easy method to protect at least a little bit against such attacks is a tool called denyhosts. I use it on all my servers because it’s easy to install. denyhosts automatically blocks ssh attacks by adding entries to /etc/hosts.deny.
Using debian Etch installation is really simple:
apt-get install denyhosts
Next edit /etc/denyhosts.conf and change:
PURGE_DENY = 1w PURGE_THRESHOLD = 0
and start the daemon:
/etc/init.d/denyhosts start
That’s all. Sure it’s not a perfect solution which helps for everything, but nevertheless it will increase your security.
All you have to to now is wait and check the /etc/hosts.deny Depending on your configuration denyhosts will automatically delete expired entries.