Several times a day, computers somewhere in India or China (usually) launch brute force and dictionary attacks on my server to try and get SSH access. To anyone running their own server who regularly browses their SSH logs (/var/log/secure or /var/log/auth.log, depending on your distro) this is old news. Checking my logs, I’d see 80-100 failed login attempts from a single IP address trying a whole ass-load of non-existant user names and passwords.

I have SSH locked down fairly well, with remote root logins off and disabling password authentication in favor of RSA based keys. However, I opted to leave SSH on the default port 22, which undoubtedly accounts for all the attacks. Usually, I’d place the offending IP in my /etc/hosts.deny file, banning it for eternity with an “ALL:[bad IP address]“. Still, this meant that I banned them after the fact.

So, I installed DenyHosts. It’s a python script that can run as a daemon, monitoring my /var/log/auth.log for login attempts using non-valid users and/or passwords. After a few failed or invalid logins, the attacking IP is automatically added to /etc/hosts.deny, nipping a prolonged attack in the bud—just the way I like it.

DenyHosts is highly configurable, letting you you specify all types of rules such as how many failed logins are allowed before banning, specifics of what services to ban and for how long (hours, years, eternity). You can have DenyHosts email reports to you and also have it synchronize against a master list of bad IPs that’s bolstered by over 4,000 users. It’s pretty damn cool. In one day, I had three separate attacks, promptly caught and banned.