DenyHosts on FreeBSD 6.2

If you run a nix server for a little while, you’ll notice that bots will try to gain illegitimate access to your server through ssh. While this unsettles a lot of people, there’s really nothing to worry about as long as you don’t permit root logins and have a strong password policy.

Nonetheless, taking just an extra measure of security is a good idea, and this is where DenyHosts comes into the picture. DenyHosts is a small Python script which makes password-guessing on your OpenSSH deployments virtually impossible, by allowing only a limited number of login attempts to your sshd. After a set number of tries, DenyHosts simply denies the given IP further attempts. What’s even cooler about DenyHosts, is that the most recent version (2.0) allows you to benefit from over 23.400 other peoples ban lists, thus meaning you’re saving yourself a lot of worrying about those pesky login attempts. An added bonus is that you’ll save yourself a few kB’s of network traffic and a few CPU cycles by straight-out denying any previous offenders a connection to your server. :)

Learn how to set it up here

2 thoughts on “DenyHosts on FreeBSD 6.2

  1. kace says:

    Good info’, CB.

    I’ve never liked the idea of DenyHosts anyway. I think it’s preferable to just use a firewall and only allow the IP’s you

    know you’ll be ssh’ing from. (Yes, that might include an entire ~/23 subnet from your ISP, too. But, there ought to be very few or zero hackers amongst a

    few hundred of you neighbors.) … Just make sure you’ve got enough back-up IP’s in your allow list — even if it’s your friend’s house or your

    brother’s office or something.

    Putting ssh onto an alternate port is probably worth the trouble, too.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>