Comments on: Debian Linux Stop SSH User Hacking / Cracking Attacks with DenyHosts Software

By: Sam Tuke

Sam Tuke — Fri, 27 May 2011 14:17:10 +0000

For the rest of us whose ISPs allocate dynamic IP ranges, to ensure that you yourself never get blocked by denyhosts define IP ranges in hosts.allow like this:

sshd: 80.0.0.0/83.0.0.0

Also remember that if you use key authentication to login rather than passwords then you are unlikely to ever supply incorrect details, and therefore should not be at risk of ever blocking yourself, even if you don’t specify your IP in hosts.allow.

By: Tapas Mishra

Tapas Mishra — Thu, 21 Oct 2010 15:06:09 +0000

Well the above command
tcpdchk -v gives me an error

Cannot find your inetd.conf or tlid.conf file.
Please specify its location.

By: rohit

rohit — Thu, 12 Aug 2010 03:00:47 +0000

sorry,
but i can’t get that.

By: Al B..

Al B.. — Wed, 27 Jan 2010 14:48:32 +0000

I did the same thing as Mehdi using a cron.hourly\perl script…. then I used UFW to deny the host IP. I wish I knew about this article earlier….

By: Mehdi

Mehdi — Tue, 28 Jul 2009 10:54:07 +0000

Thanks a lot for the info.
You’d be surprised if you looked at /var/log/auth.log file as I was.

I found a little widget that you can run to grep the IP addresses of intruders;
grep ‘from’ /var/log/auth.log|cut -d ‘ ‘ –field=13|uniq -c|sort -nr > ct-result.txt

Here I put the result from column 13th into a text file called ct-result.txt
you can see most of the IP addresses which were trying to break in.
sometimes it is the 14th column so I have not found a perfect way to grab all the IP addresses yet, if anyone has a better idea please post.

In any case I also get the result and put them in my hosts.deny file under /etc/
(again I have problem as to How to input these IP addresses in hosts.deny file, some say you have to put a slash at the end of the IP addresses? Not sure?)
like;
64.70.12.230\
or
210.51.51.*\
(these are actual chinese addresses trying to hack my system lol) :D
Many Thanks for the info.
I am going to test denyhost program on my workstation now.

By: budacsik

budacsik — Sun, 21 Sep 2008 11:31:32 +0000

sshdfilter also good :)
It use iptables.

By: LQman

LQman — Sat, 19 Apr 2008 22:08:26 +0000

@kunal

You may need to install fail2ban package.
It’s so simple script that work like your description above.

By: NoPremium.org

NoPremium.org — Sun, 13 Apr 2008 17:43:39 +0000

thanks a lot

By: kunal

kunal — Wed, 13 Feb 2008 06:10:42 +0000

Locking out IP’s after multiple failed sshd login attempts

The following two rules will limit incoming connections to port 22 to no more than 3 attempts in a minute – an more than that will be dropped:

iptables -I INPUT -p tcp –dport 22 -i eth0 -m state –state NEW -m recent –set
iptables -I INPUT -p tcp –dport 22 -i eth0 -m state –state NEW -m recent –update –seconds 60 –hitcount 4 -j DROP