Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 19 Jan 2010 09:52:15 +0000
From:      Daniel Bye <>
Subject:   Re: /etc/hosts.deniedssh
Message-ID:  <>
In-Reply-To: <>
References:  <> <>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On Tue, Jan 19, 2010 at 02:22:03AM +0200, Ed Jobs wrote:
> On Tuesday 19 January 2010 00:39, David Southwell wrote:
> > Examples from hosts.deniedssh
> > I seem to be on the receiving end of a concerted series of unsuccessful
> >  break in attacks on one of our systems. One small part of the attack 
> has 
> >  resulted in over 2000 entries in our hosts.deniedssh file in less than 1
> >  hour.
> > 
> > I would be interested in any comments on the small example shown 
> below and
> >  any advice.
> > 
> > Thanks in advance
> > 
> > David
> <snip>
> 2k entries are too much indeed. 


wc -l /etc/hosts.deniedssh
12476 /etc/hosts.deniedssh

Unless you mean specifically that a couple thousand in an hour is a lot, 
which I'd agree with, but wouldn't necessarily worry about it.

> are you running ssh on port 22?
> if yes, (and your users are ok with it) you can change it to another port.

No, don't do that. Instead, consider using public key authentication and
disabling password authentication. There are also various settings you can
tweak to control the number of unsuccessful login attempts you are prepared
to tolerate from an address in a predefined interval. sshd_config(5) will
show you the way. Additionally, put all your permitted ssh users in a 
new group, and set the sshd config option AllowGroups.

Better yet, as others have suggested, filter with a firewall - if you 
use pf, you can leverage your /etc/hosts.deniedssh file by using it to
populate a pf table. You will need to configure DenyHosts to not resolve
ip addresses, and then you can put these in /etc/pf.conf:

table <denyhosts> persist file "/etc/hosts.deniedssh"

block in log quick on $ext_if from <denyhosts> to any

(Be sure to put these in suitable places. I don't have examples of using
ipf or ipfw, but I'm sure they can handle it just as well.)

DenyHosts provides a plugin system that allows you to run an arbitrary
command upon addition or purging of an address. I use it to reload my
pf <denyhosts> table so I can be reasonably sure that the firewall's 
opinion of whom to block is congruent with what DenyHosts thinks. A simple
`pfctl -t denyhosts -T reload -f /etc/hosts.deniedssh' should be sufficient
in either case, but you can get as fancy as you like.

> or maybe, temporary disable ssh login and use cron to enable it again in 
> some time in the future.

I would recommend against this, on the grounds that there may be a real
administrative need to connect to the server during this dark period. With
no ssh service until cron does its thing, you have no way of getting in,
which makes me far more nervous than people knocking at my ssh port...

Daniel Bye
                                              ASCII ribbon campaign ( )
                                         - against HTML, vCards and  X
                                - proprietary attachments in e-mail / \

Want to link to this message? Use this URL: <>