Looking in /var/log/secure
Well my VPS server has been up for just over a week and a check of /var/log/secure shows there have been a number of ssh brute force attacks.
An example from /var/log/secure :-
Feb 18 19:30:17 vm sshd: pam_succeed_if(sshd:auth): error retrieving information about user jodie
Feb 18 19:30:19 vm sshd: Failed password for invalid user jodie from 18.104.22.168 port 35485 ssh2
Feb 18 19:30:19 vm sshd: Received disconnect from 22.214.171.124: 11: Bye Bye
Feb 18 19:30:21 vm sshd: Invalid user jody from 126.96.36.199
Feb 18 19:30:21 vm sshd: input_userauth_request: invalid user jody
Feb 18 19:30:21 vm sshd: pam_unix(sshd:auth): check pass; user unknown
Feb 18 19:30:21 vm sshd: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=188.8.131.52
Feb 18 19:30:21 vm sshd: pam_succeed_if(sshd:auth): error retrieving information about user jody
Feb 18 19:30:23 vm sshd: Failed password for invalid user jody from 184.108.40.206 port 35986 ssh2
Feb 18 19:30:23 vm sshd: Received disconnect from 220.127.116.11: 11: Bye Bye
Feb 18 19:30:25 vm sshd: Invalid user joe from 18.104.22.168
Feb 18 19:30:25 vm sshd: input_userauth_request: invalid user joe
Feb 18 19:30:25 vm sshd: pam_unix(sshd:auth): check pass; user unknown
I started adding the IP addresses to /etc/hosts.deny but I thought there must be a way of automating things.
A Google search found DenyHosts which parses the secure log and automatically updates hosts.deny
DenyHosts has plenty of useful options ( including listing IP addresses that will never be added to hosts.deny – very handy so you don’t lock yourself out ! ). It can run from cron or in daemon mode.
Installation on Centos
Get the RPM from the Epel repository ( there are a great number of useful RPMS in the Epel repository and it is well worth adding to yum.
yum install denyhosts
Edit the configuration file
The default setting will work fine but you may want to change things such as :-
ADMIN_EMAIL if you want to be emailed about blocked hosts
The date format and log format.
The configuration file is very well documented.
Run the script on your /var/log/secure file :-
cat /etc/hosts.deny to see all the hosts it has found causing problems.
vi /var/lib/denyhosts/allowed-hosts and add IP addresses you never want to be blocked each one on their own line.
Check if denyhosts will be started automatically at boot :-
-bash-3.2# chkconfig –list denyhosts
denyhosts 0:off 1:off 2:on 3:on 4:on 5:on 6:off
Then start it up :-
-bash-3.2# service denyhosts start