The Lair

Have an internet facing public server or four and someone is going to try breaking into it. Sad, but true. I’d like to think that most of the people who try this sort of game are pimply faced teenagers with an internet connection and nothing better to do… Most of them probably are, I suspect. Regardless, the point is that most of these guys (the ones I detect, anyway) are so amateurish that they point some random ssh password brute forcing tool at a random server and pull the trigger. Never mind that our user names and passwords are (mostly) safe; these idiots spray servers with hundreds of requests a minute and slow the servers down to a crawl.

I have respect for people who are good enough to break in, leave little trace, do their business (rootkits, warez dump, whatever) and then vanish. I may not like them, in fact I may actively fear their existence, but I have a healthy respect for the subtle cracker. But the hordes knocking on the server doors at this point are about as subtle as a smack on the face in a crowded pub. Actually, it’s more like the death by a thousand cuts for the servers. Incidentally, how apropos; easily 80% of the hits from these wannabe crackers have come from Chinese, Taiwanese and Korean IPs.

So, considering how much bandwidth these maladroit marauders waste – I obviously needed to do something.

DenyHosts. It’s a lovely little script which is capable of being run as a daemon. Written in Python, it monitors the ssh log (auth.log in Debianesque servers, /var/log/secure in Redhat/Fedora land) and blocks off hosts which make too many bad ssh login attempts. Everything is configurable, of course – number of failed logins before adding to hosts.deny; number of bad root logins before being killz0red and so on. So, I installed it. Nice and easy, took all of 10 minutes. [A bit later, I read the FAQ and found this link. Yup, I installed first and read the FAQ later, so sue me]. One thing I didn’t feel comfortable doing just yet though, was enabling synchronization mode – which allows Denyhosts daemons to communicate with a central server.

Within hours, my hosts.deny had four new entries added. And that’s just one server, mind you. W00t for automatic blocking of abusive IPs. Now I need to try out Fail2Ban which looks like it could handle HTTP server attacks as well as ssh based brute force attempts.

I feel safer already… I think

Update: One night of denyhosts and the incoming bandwidth on the server has gone down from a whopping 91M to a mere 6M. Umm. Hell, yeah? Something is working, at any rate.