Weird things on my server

I mentioned a post or so ago about a new application that I have started to run called logwatch. One of the things that I noticed in the output that I was getting from log watch was a fair number of failed ssh log in attempts. I looked like most of the attempts were automated hits using root/password to get in. This got me looking into a way to stop these types of attempts from happening. A quick google search lead me to denyhosts. It is a really simple but effective app that watches for failed attempts and will put the offending IP address in your /etc/hosts.deny.

The only issue that I had once installing it was that my own IP was being blocked from my laptop while on my wireless connection (weird). To fix this I edited /var/lib/denyhosts/allowed-hosts to add my IP info to keep me from being blocked.

Running grep sshd: /etc/hosts.deny | wc -l I can see that my hosts.deny file has gone from having no entries to having 100. And that is just in the timespan of a month or so.

Advertisements
  1. #1 by disi on February 1, 2010 - 12:38 pm

    You should also have a look at fail2ban.

    It searches for regex in logfiles and applies actions based on rules (jails). Works with IPTables or host.deny etc.
    The good thing is, that you can define really custom stuff in those rules. Some templates are given for sshd, apache etc.

  2. #2 by Arsenick on February 1, 2010 - 1:20 pm

    An easy way to avoid those “attack” is to change the default port sshd listen to…

    These attack are most of time generated by simple scripts who try to crack “q1w2e3” password. If you change the default port sshd use and you still get those error, you can assume someone don’t like you 😉 Otherwise as told by Disi, Failed2ban is a great tool..

  3. #3 by mbooth on February 1, 2010 - 3:53 pm

    For uninteresting historical reasons, I run my sshd on a non-standard port. That alone caused the number of failed login attempts to go from hundreds a day to zero. (Well, the average is close enough to zero that it isn’t worth mentioning.)

  4. #4 by cliff on February 6, 2010 - 7:36 am

    did you give up on the KY LoCo team?

    • #5 by etank on February 6, 2010 - 8:47 am

      Not really. We have merged with the BGLUG team though to because not all of the members of the LoCo team were using Ubuntu. BGLUG is a more generic distro based LUG.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: