I've noticed lots of failed login attempt for my Debian Linux VPS root server account. How do I stop automated bot based SSH attacks on my server?
You can use DenyHosts - a Python based script that analyzes the sshd server log messages to determine what hosts are attempting to hack into your system. It is an utility to help sys admins thwart ssh crackers. It also determines what user accounts are being targeted. It keeps track of the frequency of attempts from each host. It will automatically blocks ssh attacks by adding entries to /etc/hosts.deny. DenyHosts will also inform Linux administrators about offending hosts, attacked users and suspicious logins.
Step # 1: Make Sure Python is installed
First, make sure python is installed under Debian / Ubuntu Linux:
# dpkg --list | grep python2
Find out version (DenyHosts requires 2.3 or above version)
$ python -V
Output:
Python 2.5.1
Step # 2: Download DenyHosts
Visit official project home page to grab latest source code or packages. Use apt-get command under Debian / Ubuntu Linux, enter
$ sudo apt-get install denyhosts
DenyHosts configuration - /etc/denyhosts.conf
- The default configuration file is /etc/denyhosts.conf.
- You also need to create / update a whitelist in /etc/hosts.allow. For example, if you have static IP assigned by ISP, enter in this file. You can add all the important hosts that you never want blocked.
Step # 1: Setup a whitelist
Open /etc/hosts.allow:
# vi /etc/hosts.allow
Allow sshd from 202.54.1.2 i.e. you never want to block yourself
sshd: 202.54.1.2
Save and close the file. Verify and examines your tcp wrapper configuration file and reports all potential and real problems:
# tcpdchk -v
Step # 1: Configure DenyHosts
Open default configuration file - /etc/denyhosts.conf, enter:
# vi /etc/denyhosts.conf
Setup your email ID so you would receive emails regarding newly restricted hosts and suspicious logins, set this address to match your email address.
ADMIN_EMAIL = vivek@nixcraft.com
Save and close the file. Here is my own sample configuration file for Debian Linux 4.0 server (config file is documented very well, just open and read it):
############ THESE SETTINGS ARE REQUIRED ############ SECURE_LOG = /var/log/auth.log HOSTS_DENY = /etc/hosts.deny PURGE_DENY = BLOCK_SERVICE = sshd DENY_THRESHOLD_INVALID = 5 DENY_THRESHOLD_VALID = 10 DENY_THRESHOLD_ROOT = 1 DENY_THRESHOLD_RESTRICTED = 1 WORK_DIR = /var/lib/denyhosts SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES HOSTNAME_LOOKUP=YES LOCK_FILE = /var/run/denyhosts.pid ############ THESE SETTINGS ARE OPTIONAL ############ ADMIN_EMAIL = vivek@nixcraft.com SMTP_HOST = localhost SMTP_PORT = 25 SMTP_FROM = DenyHosts <webmaster@cyberciti.biz> SMTP_SUBJECT = DenyHosts Report AGE_RESET_VALID=5d AGE_RESET_ROOT=25d AGE_RESET_RESTRICTED=25d AGE_RESET_INVALID=10d ######### THESE SETTINGS ARE SPECIFIC TO DAEMON MODE ########## DAEMON_LOG = /var/log/denyhosts DAEMON_SLEEP = 30s DAEMON_PURGE = 1h
Restart the daemon:
# /etc/init.d/denyhosts restart
See Also:
Further readings:
- Red Hat / Centos Install Denyhosts To Block SSH Attacks / Hacking
- Top 20 OpenSSH Server Best Security Practices
- denyhosts project
Featured Articles:
- 20 Linux System Monitoring Tools Every SysAdmin Should Know
- 20 Linux Server Hardening Security Tips
- My 10 UNIX Command Line Mistakes
- The Novice Guide To Buying A Linux Laptop
- 10 Tools To Add Some Spice To Your UNIX Shell Scripts
- Email FAQ to a friend
- Download PDF version
- Printable version
- Comment RSS feed
- Last Updated: 08/17/09
Sign up for our daily email newsletter:
{ 7 comments… read them below or add one }
Locking out IP’s after multiple failed sshd login attempts
The following two rules will limit incoming connections to port 22 to no more than 3 attempts in a minute – an more than that will be dropped:
iptables -I INPUT -p tcp –dport 22 -i eth0 -m state –state NEW -m recent –set
iptables -I INPUT -p tcp –dport 22 -i eth0 -m state –state NEW -m recent –update –seconds 60 –hitcount 4 -j DROP
thanks a lot
@kunal
You may need to install fail2ban package.
It’s so simple script that work like your description above.
sshdfilter also good :)
It use iptables.
Thanks a lot for the info.
You’d be surprised if you looked at /var/log/auth.log file as I was.
I found a little widget that you can run to grep the IP addresses of intruders;
grep ‘from’ /var/log/auth.log|cut -d ‘ ‘ –field=13|uniq -c|sort -nr > ct-result.txt
Here I put the result from column 13th into a text file called ct-result.txt
you can see most of the IP addresses which were trying to break in.
sometimes it is the 14th column so I have not found a perfect way to grab all the IP addresses yet, if anyone has a better idea please post.
In any case I also get the result and put them in my hosts.deny file under /etc/
(again I have problem as to How to input these IP addresses in hosts.deny file, some say you have to put a slash at the end of the IP addresses? Not sure?)
like;
64.70.12.230\
or
210.51.51.*\
(these are actual chinese addresses trying to hack my system lol) :D
Many Thanks for the info.
I am going to test denyhost program on my workstation now.
I did the same thing as Mehdi using a cron.hourly\perl script…. then I used UFW to deny the host IP. I wish I knew about this article earlier….
sorry,
but i can’t get that.