Stopping hackers using denyhosts

I was supposed to be preparing for my talk for tomorrow at the SEMBA meeting, but then I saw these on the log of one of my servers:

Mar 19 05:51:29 cell sshd[29862]: Failed unknown for illegal user dan from 59.77
.25.55 port 49614 ssh2
Mar 19 05:51:33 cell sshd[29865]: Failed unknown for illegal user dan from 59.77
.25.55 port 49784 ssh2
Mar 19 05:51:37 cell sshd[29868]: Failed unknown for illegal user dan from 59.77
.25.55 port 49946 ssh2
Mar 19 05:51:40 cell sshd[29871]: Failed unknown for illegal user adrian from 59
.77.25.55 port 50116 ssh2
Mar 19 05:51:44 cell sshd[29874]: Failed unknown for illegal user admin from 59.
77.25.55 port 50265 ssh2
Mar 19 05:51:48 cell sshd[29877]: Failed unknown for illegal user alliance from
59.77.25.55 port 50438 ssh2
Mar 19 05:51:51 cell sshd[29880]: Failed unknown for illegal user clinic from 59
.77.25.55 port 50592 ssh2
Mar 19 05:51:55 cell sshd[29883]: Failed unknown for illegal user copier from 59
.77.25.55 port 50768 ssh2
Mar 19 05:51:59 cell sshd[29886]: Failed unknown for illegal user displays from
59.77.25.55 port 50914 ssh2
Mar 19 05:52:02 cell sshd[29889]: Failed unknown for illegal user finder from 59
.77.25.55 port 51087 ssh2
Mar 19 05:52:06 cell sshd[29892]: Failed unknown for illegal user client from 59
.77.25.55 port 51240 ssh2
Mar 19 05:52:09 cell sshd[29895]: Failed unknown for illegal user client from 59
.77.25.55 port 51417 ssh2
Mar 19 05:52:13 cell sshd[29898]: Failed unknown for illegal user pub from 59.77
.25.55 port 51554 ssh2
Mar 19 05:52:17 cell sshd[29901]: Failed unknown for illegal user dino from 59.7
7.25.55 port 33817 ssh2
Mar 19 05:52:20 cell sshd[29904]: Failed unknown for illegal user dino from 59.7
7.25.55 port 33980 ssh2
Mar 19 05:52:24 cell sshd[29907]: Failed unknown for illegal user pub from 59.77
.25.55 port 34153 ssh2
Mar 19 05:52:28 cell sshd[29910]: Failed unknown for illegal user dino from 59.7
7.25.55 port 34295 ssh2
Mar 19 05:52:31 cell sshd[29913]: Failed unknown for illegal user dino from 59.7
7.25.55 port 34469 ssh2
Mar 19 05:52:35 cell sshd[29916]: Failed unknown for illegal user dino from 59.7
7.25.55 port 34642 ssh2
Mar 19 05:52:39 cell sshd[29919]: Failed unknown for illegal user hans from 59.7
7.25.55 port 34783 ssh2
Mar 19 05:52:42 cell sshd[29922]: Failed unknown for illegal user rob from 59.77
.25.55 port 34958 ssh2

This goes on for about 2000 times…I have seen this (basically daily) before, but today I simply got tired of seeing it. Googled around and found denyhosts, a nice program that seemed would work for me. I tired to install it by hand, then found there are automatic installation scripts. On my old servers, I still had to manually update python2.2 to python2.3, and tweak a bit to get it to work though. Now anyone trying the “dictionary” attack as shown above will be shut off my server after 5 such tries. Need to do the same thing with ftp servers (ftpd), but the best I am doing now is to create a blacklist of IPs which have attacked my site with sshd, then refuse them service everything — they probably could not even visit my web!

After seeing it working, I felt so accomplished!

Author: Zachary Huang

Leave a Reply

Your email address will not be published. Required fields are marked *