DenyHosts Does Its Job Quietly, Effectively

Posted by Landon Cox on December 2nd, 2007 in Open Source Trends

I was thinking the other day about software that I use every day but is unobtrusive….so much so that I forget I'm using it. Besides the normal embedded software in consumer devices, one of the first packages that came to mind was DenyHosts. DenyHosts is a Python script and system which effectively stops brute force login attacks through secure shell attempts on Linux. If you've ever put up a server on the internet that allows secure shell logins, you will have seen hundreds, even thousands of ssh login attempts per day. The script kiddies are still alive and well and polluting networks with their vain brute force logins. They must succeed just enough to never give up, but DenyHosts can put an end to all that for anything you have to manage. You'll need Python, 2.5.1 will work fine, as the only prerequisite. Download the package from http://denyhosts.sourceforge.net and follow the well written installation instructions. Within 15 minutes you can have it running and protecting your box. DenyHosts monitors the security logs of your server and parses out the sshd failed login attempts. After a configurable number of failed attempts, it then adds those IP addresses to the hosts.deny file your TCP stack will obey. Anything in that file will be automatically denied a TCP connection to your machine. You can set the interval at which it processes the logs, but in practice, I've never seen DenyHosts process taking many cycles so I have mine set for frequent looks. The most powerful feature of DenyHosts is the ability to automatically share attack data with the community and then download lists of IP addresses aggregated from all these attacks. You can set an update interval to pull the new lists. I have mine set at 30 minutes and nearly always it's pulling 10 to 15 new addresses each time. The addresses will age out after awhile…just like everything else in DenyHosts, this is user configurable. If your system has been attacked by an IP you don't already have in your deny list, you can optionally configure your DenyHosts to share that IP data with the central server. So, it's possible to pull deny host lists and not put back any attacks you see, but there's not much reason to not share your data too. It's rare, but it does happen that servers I have installed DenyHosts on will push a new denied IP upstream. DenyHosts is simple to install, configurable almost to a fault, and extremely effective at cutting out brute force login attempts. Give it a try next time you put up a new box or if you don't have anything in place on your servers now to cut out brute force login attacks.


Comments are closed.



Find us on LinkedIn Add us on Facebook! Add us on Google Plus! Chat with Us

Learn More About

The Cloud

Governance

Legal & Compliance

Open Source Trends

Scanning & Provisioning

Support

Archives

Categories

About Us

OpenLogic helps enterprises use open source software by providing open source support, scanning, governance, and cloud solutions. For more on OpenLogic, go to www.openlogic.com.