Limit Ssh Attempts On Your Box With Denyhosts

[Mike Gibbs]

If your *nix box has a public IP address then chances are that it will have many ssh login attempts. You can easily limit the chances of someone guessing the correct password by installing Denyhosts.

The program denyhosts keeps track of how many attempts are made and if a configurable amount have failed for a certain IP address then it is automatically blacklisted.

Installing DenyHosts on CentOS or Redhat

Install the EPEL repository and YUM priorities

# rpm -Uvh http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-4.noarch.rpm

# yum install yum-priorities

Now install Denyhosts

# yum install denyhosts

Finally add it to start-up and initiate the process.

# chkconfig denyhosts on

# service denyhosts start

Any configuration can be made by editing the configuration file located at /etc/denyhosts.conf

You can watch the IPs of attackers as they get blacklisted in the file /etc/host.deny

# tail -f -n 50 /etc/hosts.deny

[hexophrenic]

Be careful with this in a production environment though. Believe it or not, you can have internal hosts added to the deny list inadvertently with port monitoring apps, etc, so you want to make sure you plan around that (add those hosts to allow list).

[Infiltrator]

Blocking an IP address is certainly an effective way, but not an easy way to manage.

You could minimize the attack attempts, by changing the default port or implementing port knocking which will be a lot more effective at stopping a script kiddie or a bot.

Also for authentication, I would implement a 2 authentication using certificates, rather than using passwords.

[int0x80]

I've had good success with the following:

1. Move sshd to a non-standard port
   
2. Use only SSH keys
   
3. Two-factor with Google Authenticator
   

[Jason Cooper]

Personally I wouldn't bother with denyhosts, I find that requiring key authentication stops brute force attempts without any risk of denying your own hosts access.