Tuesday, March 24, 2009

Denyhosts for Unix

I've had a Linux box standing on the Internet (uptime~=180days). It just had Ubuntu server installed, Tomcat and SSHd.
And I never looked at security logs...

Security logs (/var/log/auth.log) were full of invalid login attempt messages!
I apparently got there to see who was accessing the machine during this time, and found that log is full of invalid login attempts through ssh - hjackers seem to try to brootforce the box.

So, I just found Protect your ssh-servers, ban offending hosts article about protection - great thanks to authors. And in two minutes all the offending hosts were in hosts.deny file (denyhosts figured them out, and banned), and auth.log stopped to grow because of invalid attempts.

What I've learned from that.
So basic idea is to setup little tool, which blocks connections from some hosts, and automatically adds hosts to deny list if they have stepped through the threshold of invalid attempts.

And - never. Never open direct root access from the ssh. Ubuntu has deeper facility - AFAIK there's no possibility to perform direct interactive login as root (only sudo is ok), but nevertheless - close this down.

No comments: