Mike Gibbs Posted February 16, 2012 Share Posted February 16, 2012 If your *nix box has a public IP address then chances are that it will have many ssh login attempts. You can easily limit the chances of someone guessing the correct password by installing Denyhosts. The program denyhosts keeps track of how many attempts are made and if a configurable amount have failed for a certain IP address then it is automatically blacklisted. Installing DenyHosts on CentOS or Redhat Install the EPEL repository and YUM priorities # rpm -Uvh http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-4.noarch.rpm # yum install yum-priorities Now install Denyhosts # yum install denyhosts Finally add it to start-up and initiate the process. # chkconfig denyhosts on # service denyhosts start Any configuration can be made by editing the configuration file located at /etc/denyhosts.conf You can watch the IPs of attackers as they get blacklisted in the file /etc/host.deny # tail -f -n 50 /etc/hosts.deny Quote Link to comment Share on other sites More sharing options...
hexophrenic Posted February 16, 2012 Share Posted February 16, 2012 Be careful with this in a production environment though. Believe it or not, you can have internal hosts added to the deny list inadvertently with port monitoring apps, etc, so you want to make sure you plan around that (add those hosts to allow list). Quote Link to comment Share on other sites More sharing options...
Infiltrator Posted February 17, 2012 Share Posted February 17, 2012 Blocking an IP address is certainly an effective way, but not an easy way to manage. You could minimize the attack attempts, by changing the default port or implementing port knocking which will be a lot more effective at stopping a script kiddie or a bot. Also for authentication, I would implement a 2 authentication using certificates, rather than using passwords. Quote Link to comment Share on other sites More sharing options...
int0x80 Posted February 17, 2012 Share Posted February 17, 2012 I've had good success with the following: Move sshd to a non-standard port Use only SSH keys Two-factor with Google Authenticator Quote Link to comment Share on other sites More sharing options...
Jason Cooper Posted February 17, 2012 Share Posted February 17, 2012 Personally I wouldn't bother with denyhosts, I find that requiring key authentication stops brute force attempts without any risk of denying your own hosts access. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.