If you run a nix server for a little while, you’ll notice that bots will try to gain illegitimate access to your server through ssh. While this unsettles a lot of people, there’s really nothing to worry about as long as you don’t permit root logins and have a strong password policy.
Nonetheless, taking just an extra measure of security is a good idea, and this is where DenyHosts comes into the picture. DenyHosts is a small Python script which makes password-guessing on your OpenSSH deployments virtually impossible, by allowing only a limited number of login attempts to your sshd. After a set number of tries, DenyHosts simply denies the given IP further attempts. What’s even cooler about DenyHosts, is that the most recent version (2.0) allows you to benefit from over 23.400 other peoples ban lists, thus meaning you’re saving yourself a lot of worrying about those pesky login attempts. An added bonus is that you’ll save yourself a few kB’s of network traffic and a few CPU cycles by straight-out denying any previous offenders a connection to your server. :)
Related posts:
- FreeBSD security (incl video)
- FreeNAS 0.69 RC1 release (Salusa Secundus)
- Released: FreeNAS 0.7 (Khasadar)
- Reset admin/root password in FreeBSD (howto)
- PC-BSD 1.4: An Initial Look
October 16th, 2007 at 11:17 pm
DenyHosts reportedly has known unfixed DoS vulnerabilities that allow anyone to lock all hosts out of your SSH.
Details:
http://www.ossec.net/en/attacking-loganalysis.html#denyhosts
October 21st, 2007 at 3:56 am
Good info’, CB.
I’ve never liked the idea of DenyHosts anyway. I think it’s preferable to just use a firewall and only allow the IP’s you
know you’ll be ssh’ing from. (Yes, that might include an entire ~/23 subnet from your ISP, too. But, there ought to be very few or zero hackers amongst a
few hundred of you neighbors.) … Just make sure you’ve got enough back-up IP’s in your allow list — even if it’s your friend’s house or your
brother’s office or something.
Putting ssh onto an alternate port is probably worth the trouble, too.