If
you have linux server where you published externally SSH port you could get
some DoS attack or dictionary based attacks and brute force attacks
In
these case you can create e public/private certificate following this old blog
article.
In
case you do not have relative certificate you would not able to start ssh
logging (it is always a good idea disable SSH root login utilizing a different
user)
Otherwise
you can utilize this took that help you to be aware about dictionary based
attacks and brute force attacks.
The
main concept is that, this script autocreate an IP blacklist of intruders to
block them to continue brute Force attack
Here
are more details:
DenyHosts
is a script intended to be run by Linux system administrators to help thwart
SSH server attacks (also known as dictionary based attacks and brute force
attacks).
If
you've ever looked at your ssh log (/var/log/secure on Redhat,
/var/log/auth.log on Mandrake, etc...) you may be alarmed to see how many
hackers attempted to gain access to your server. Hopefully, none of them were
successful (but then again, how would you know?). Wouldn't it be better to
automatically prevent that attacker from continuing to gain entry into your
system?
- Parses
/var/log/secure to find all login attempts and filters failed and successful
attempts.
- Synchronization mode (new in
2.0) allows DenyHosts daemons the ability to share data via a centralized
server to proactively thwart attacks.
- Can be run from the command
line, cron or as a daemon (new in 0.9)
- Records all failed login
attempts for the user and offending host
- For each host that exceeds a
threshold count, records the evil host
- Keeps track of each
non-existent user (eg. sdadasd) when a login attempt failed.
- Keeps track of each existing
user (eg. root) when a login attempt failed.
- Keeps track of each
offending host (with 0.8+ these hosts can be purged if the associated entry in
/etc/hosts.deny is expired)
- Keeps track of suspicious
logins (that is, logins that were successful for a host that had many login
failures)
- Keeps track of the file
offset, so that you can reparse the same file (/var/log/secure) continuously
(until it is rotated).
- When the log file is
rotated, the script will detect it and parse from the beginning.
- Appends /etc/hosts.deny and
adds the newly banned hosts
- Optionally sends an email of
newly banned hosts and suspicious logins.
- Keeps a history of all user,
host, user/host combo and suspicious logins encountered which includes the data
and number of corresponding failed login attempts.
- Maintains failed valid and
invalid user login attempts in separate files, such that it is easy to see
which valid user is under attack (which would give you the opportunity to remove
the account, change the password or change it's default shell to something like
/sbin/nologin
- Upon each run, the script
will load the previously saved data and re-use it to append new failures.
- Resolves IP addresses to
hostnames, if available (new in v0.6.0).
- /etc/hosts.deny entries can
be expired (purge) at a user specified time (new in 0.8)
