Yesterday, we caught some kiddie trying to log into one of our servers. He — or his script — tried a brute-force attack on SSH some 740 times in about 45 minutes. Based on the security profile of the machine, that sort of attack is wildly unlikely to bare fruit, but still: some jackoff is trying the locks, and we don’t like it.

Lots of Googling and guru-asking later, someone pointed us at DenyHosts, which rules. If you run an SSH server, you probably ought to look into this. It watches your logs; when it sees more than X invalid ssh attempts in Y time period from a given IP, it adds that IP to /etc/hosts.deny (or other appropriate file, depending on your flavor of *nix). It distinguishes between invalid logins (for accounts that don’t exist) and failed ones (for accounts that do), so it’s possible to allow 5 invalid attempts in 14d before lockout AND only 3 in 30d for actual accounts, for example. Also, the author was smart enough to incorporate a –purge option, which is key. The IP the script kiddie had yesterday might well be the one you have today, so a permanent ban list isn’t the way to go.

Nice work. It’s not quite ideal — by which we mean that if someone kept trying the locks on our HOUSE at night, well, eventually we’d get down the stairs with the Steyr in time to make short work of the miscreant; to the best of our knowledge DenyHosts does not in fact poke additional holes in the attacker — but it’s certainly a worthwhile extra step to take.