Comments on: Red Hat / Centos Install Denyhosts To Block SSH Attacks / Hacking http://www.cyberciti.biz/faq/rhel-linux-block-ssh-dictionary-brute-force-attacks/ Every answer asks a more beautiful question. Fri, 10 Feb 2012 19:55:56 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Steve Dibbhttp://www.cyberciti.biz/faq/rhel-linux-block-ssh-dictionary-brute-force-attacks/#comment-62829 Steve Dibb Mon, 26 Sep 2011 16:52:37 +0000 http://www.cyberciti.biz/faq/?p=4717#comment-62829 You can avoid that by adding your IP address to /etc/hosts.allow. ALL: 1.2.3.4 You can avoid that by adding your IP address to /etc/hosts.allow.

ALL: 1.2.3.4

]]> By: Martyhttp://www.cyberciti.biz/faq/rhel-linux-block-ssh-dictionary-brute-force-attacks/#comment-62296 Marty Fri, 09 Sep 2011 17:34:08 +0000 http://www.cyberciti.biz/faq/?p=4717#comment-62296 thanks it worked i'm a newbe so all the help i get from most of you guys is great again thanks thanks it worked i’m a newbe so all the help i get from most of you guys is great again thanks

]]> By: poly1http://www.cyberciti.biz/faq/rhel-linux-block-ssh-dictionary-brute-force-attacks/#comment-57591 poly1 Sat, 23 Apr 2011 06:45:01 +0000 http://www.cyberciti.biz/faq/?p=4717#comment-57591 Just an fyi on this, BE CAREFUL. I Installed the RPMforge release, did the tutorial, added my IP to the hosts.allow file and restarted the service. It worked fine for a few minutes, but as soon as I disconnected and reconnected to my server it blacklisted my IP. I can still connect via FTP, but not as root, and SFTP/ssh are completely blocked. it's done this several times. I did some Googling and it seems like this is happening to other people as well. It's not a big deal if you have physical access to your server, but I'm renting a VPS, so I guess this means I'm calling my host :( Just an fyi on this, BE CAREFUL. I Installed the RPMforge release, did the tutorial, added my IP to the hosts.allow file and restarted the service. It worked fine for a few minutes, but as soon as I disconnected and reconnected to my server it blacklisted my IP. I can still connect via FTP, but not as root, and SFTP/ssh are completely blocked. it’s done this several times. I did some Googling and it seems like this is happening to other people as well. It’s not a big deal if you have physical access to your server, but I’m renting a VPS, so I guess this means I’m calling my host :(

]]> By: Linux newbiehttp://www.cyberciti.biz/faq/rhel-linux-block-ssh-dictionary-brute-force-attacks/#comment-50650 Linux newbie Wed, 10 Nov 2010 11:39:37 +0000 http://www.cyberciti.biz/faq/?p=4717#comment-50650 Thanks for walk through and subsequent comments. Just made my server a little more secure :-) Thanks for walk through and subsequent comments. Just made my server a little more secure :-)

]]> By: Nick Maxwellhttp://www.cyberciti.biz/faq/rhel-linux-block-ssh-dictionary-brute-force-attacks/#comment-50104 Nick Maxwell Thu, 14 Oct 2010 14:29:28 +0000 http://www.cyberciti.biz/faq/?p=4717#comment-50104 The article at http://www.ossec.net/main/attacking-log-analysis-tools is worth following. It appears that the patch is not currently available for denyhosts to stop a DoS attack using remote log injection. The solution though is a simple fix - from the article, change the /usr/lib/python2.4/site-packages/DenyHosts/regex.py From <code>FAILED_ENTRY_REGEX5 = re.compile(r"""User (?P.*) .*from (?P.*) not allowed because none of user's groups are listed in AllowGroups""") </code> To <code>FAILED_ENTRY_REGEX5 = re.compile(r"""User (?P.*) .*from (?P.*) not allowed because none of user's groups are listed in AllowGroups$""")</code> The article at http://www.ossec.net/main/attacking-log-analysis-tools is worth following.

It appears that the patch is not currently available for denyhosts to stop a DoS attack using remote log injection. The solution though is a simple fix – from the article, change the /usr/lib/python2.4/site-packages/DenyHosts/regex.py

From
FAILED_ENTRY_REGEX5 = re.compile(r"""User (?P.*) .*from (?P.*) not allowed because none of user's groups are listed in AllowGroups""")

To
FAILED_ENTRY_REGEX5 = re.compile(r"""User (?P.*) .*from (?P.*) not allowed because none of user's groups are listed in AllowGroups$""")

]]> By: John Lindleyhttp://www.cyberciti.biz/faq/rhel-linux-block-ssh-dictionary-brute-force-attacks/#comment-49974 John Lindley Thu, 07 Oct 2010 15:03:54 +0000 http://www.cyberciti.biz/faq/?p=4717#comment-49974 The links have changed: <pre> rpm -Uhv http://apt.sw.be/redhat/el5/en/i386/rpmforge/RPMS/rpmforge-release-0.5.1-1.el5.rf.i386.rpm rpm -Uhv http://apt.sw.be/redhat/el5/en/x86_64/rpmforge/RPMS/rpmforge-release-0.5.1-1.el5.rf.x86_64.rpm </pre> The links have changed:

rpm -Uhv http://apt.sw.be/redhat/el5/en/i386/rpmforge/RPMS/rpmforge-release-0.5.1-1.el5.rf.i386.rpm
rpm -Uhv http://apt.sw.be/redhat/el5/en/x86_64/rpmforge/RPMS/rpmforge-release-0.5.1-1.el5.rf.x86_64.rpm
]]> By: jeffatrackaidhttp://www.cyberciti.biz/faq/rhel-linux-block-ssh-dictionary-brute-force-attacks/#comment-45710 jeffatrackaid Thu, 28 Jan 2010 01:15:39 +0000 http://www.cyberciti.biz/faq/?p=4717#comment-45710 DenyHosts is subject to log based attacks. See http://www.ossec.net/main/attacking-log-analysis-tools for more info. I prefer to use <a href="http://www.rackaid.com/resources/how-to-block-ssh-brute-force-attacks/" rel="nofollow">rate limiting SSH rules</a> to block SSH attacks. DenyHosts is subject to log based attacks. See http://www.ossec.net/main/attacking-log-analysis-tools for more info.

I prefer to use rate limiting SSH rules to block SSH attacks.

]]>