Preventing ssh brute force attacks with DenyHosts

Looking in /var/log/secure

Well my VPS server has been up for just over a week and a check of /var/log/secure shows there have been a number of ssh brute force attacks.

An example from /var/log/secure :-

Feb 18 19:30:17 vm sshd[29470]: pam_succeed_if(sshd:auth): error retrieving information about user jodie
Feb 18 19:30:19 vm sshd[29470]: Failed password for invalid user jodie from 222.122.227.26 port 35485 ssh2
Feb 18 19:30:19 vm sshd[29471]: Received disconnect from 222.122.227.26: 11: Bye Bye
Feb 18 19:30:21 vm sshd[29478]: Invalid user jody from 222.122.227.26
Feb 18 19:30:21 vm sshd[29479]: input_userauth_request: invalid user jody
Feb 18 19:30:21 vm sshd[29478]: pam_unix(sshd:auth): check pass; user unknown
Feb 18 19:30:21 vm sshd[29478]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.122.227.26
Feb 18 19:30:21 vm sshd[29478]: pam_succeed_if(sshd:auth): error retrieving information about user jody
Feb 18 19:30:23 vm sshd[29478]: Failed password for invalid user jody from 222.122.227.26 port 35986 ssh2
Feb 18 19:30:23 vm sshd[29479]: Received disconnect from 222.122.227.26: 11: Bye Bye
Feb 18 19:30:25 vm sshd[29486]: Invalid user joe from 222.122.227.26
Feb 18 19:30:25 vm sshd[29487]: input_userauth_request: invalid user joe
Feb 18 19:30:25 vm sshd[29486]: pam_unix(sshd:auth): check pass; user unknown

I started adding the IP addresses to /etc/hosts.deny but I thought there must be a way of automating things.

A Google search found DenyHosts which parses the secure log and automatically updates hosts.deny

DenyHosts has plenty of useful options ( including listing IP addresses that will never be added to hosts.deny – very handy so you don’t lock yourself out ! ). It can run from cron or in daemon mode.

Installation on Centos

Get the RPM from the Epel repository ( there are a great number of useful RPMS in the Epel repository and it is well worth adding to yum.

yum install denyhosts

Edit the configuration file

vi /etc/denyhosts.conf

The default setting will work fine but you may want to change things such as :-

ADMIN_EMAIL   if you want to be emailed about blocked hosts

The date format and log format.

The configuration file is very well documented.

Run the script on your /var/log/secure file :-

denyhosts.py –file=/var/log/secure

cat /etc/hosts.deny to see all the hosts it has found causing problems.

vi /var/lib/denyhosts/allowed-hosts  and add IP addresses you never want to be blocked each one on their own line.

Check if denyhosts will be started automatically at boot :-

-bash-3.2# chkconfig –list denyhosts
denyhosts          0:off    1:off    2:on    3:on    4:on    5:on    6:off

Then start it up :-

-bash-3.2# service denyhosts start

Leave a Reply

Your email address will not be published. Required fields are marked *