[PLUG] denyhosts for illegal ssh login attempts

Charles Sliger chaz at bctonline.com
Wed May 18 20:27:30 UTC 2005



From: plug-bounces at lists.pdxlinux.org
[mailto:plug-bounces at lists.pdxlinux.org] On Behalf Of Keith Lofstrom
Sent: Monday, May 16, 2005 9:54 AM
Subject: [PLUG] denyhosts for illegal ssh login attempts

I got tired of seeing 2000 line logwatch reports with lines like:

> Illegal user anonymous from ::ffff:200.93.183.186
> Failed password for illegal user anonymous from ::ffff:200.93.183.186 port
43610ssh2

Eventually, the bastards might even make it in.  So I downloaded a program
called DenyHosts ( http://denyhosts.sourceforge.net ) which is called from
cron, scans /var/log/secure and adds entries to /etc/hosts.deny .

The python program install isn't well documented (including a bit about
"from version import VERSION" which I commented out) and I would prefer
something that responded to the log process itself rather than being called
by cron to scan /var/log files.  At first, I thought it would be better to
just block the troublesome site with iptables rather than hosts.deny, but
the fine-grain control of hosts.deny does give me the opportunity to tweak
things by a back door after a DOS attack, and hosts.deny is permanent
through reboots.

[chaz> ] You should be able to run iptables-save after updating iptables to
cause the change to persist across reboots.






More information about the PLUG mailing list