[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Edlug Archive Mar 2007 ]

Re: [edlug] Advice Please : "denyhosts"

On Sat, Mar 10, 2007 at 04:20:34PM +0000, Barclay Weir wrote:

> A recent requirement having arisen to enable remote acces to my SuSE 9.3 
> machine from a Windows box, I enabled OpenSSH via the standard port with 
> TightVNC  and RSA keys at each end. This immediately resulted in concerted 
> prolonged dictionary attacks which were successfully repulsed. 

If you are using key authentication with SSH, then simply disallow
authentication by password (PasswordAuthentication No) or PAM (UsePAM

> Coincidentally an edlug thread arose which introduced me to "denyhosts", 
> which I sourced and installed on SuSE. I have synced with the centrally 
> held list of baddies - both send and receive, and now have about 4000 of 
> them in hosts.deny. Currently, I have chosen not to purge this list which 
> continues to grow hourly.
> This has given rise to two questions :
> 1	What is the purpose of purging hosts.deny if one chooses to sync with the
>         centrally held list? ... Would it not just be repopulated with the
>         same list after the next sync interval?

Presumably, yes. However, the central list may be periodically reduced
in size as miscreant hosts are removed from the network. 
> 2	What will be the impact (if any) of allowing hosts.deny to continue to
>         grow without limit?

Anything that uses tcpwrappers (including inetd) will slow down every time a new
connection is made. However, the file will need to be pretty big or
the number of connections quite high for the slowdown to be
noticeable. If you want to test it, try generating a few thousand
addresses on private networks and adding them to the deny lists to see
what happens. 

However if you must keep SSH password authentication enabled, try
using a log analysing tool like fail2ban
(http://www.fail2ban.org/wiki/index.php/Main_Page) which looks for
repeated failed authentication attempts in auth.log and inserts a
temporary iptables rule to drop packets from the miscreant address.
Much better than centralised deny lists IMO.


You can find the EdLUG mailing list FAQ list at:

This archive is kept by wibble+RM@xxx.xxx.xxx