DenyHosts: Automated SSH Brute Force Response System

Posted on September 2nd, 2007 in Tech Tips by gmendoza

DenyHostsDenyHosts is a project that adds a protective layer to an SSH server by automatically blocking malicious hosts that use brute force or dictionary attacks. If you have SSH services enabled and accessible from the internet, you will likely have thousands of failed login attempts from several sources within a very short period of time. DenyHosts monitors all login attempts, and based on a customizable rule-set can block hosts from making further connections if an attack pattern is matched.Using tcp_wrappers, the DenyHosts service elegantly manages entries in the /etc/hosts.deny file, adding and removing hosts when thresholds are crossed. i.e. Three failed logins with unknown user accounts; Three failed logins with root account; Five failed logins with known user accounts; Unblock host after a set period of time; etc. You can also specify whether DenyHosts blocks access to SSH or ALL services, thereby mitigating any other attack vectors the offender might try next.A most valuable feature that makes DenyHosts even more attractive is the optional centralized reporting system. The service can be configured to report all abusive hosts to the DenyHosts collection server, and automatically import a list of IP addresses that others have reported. This network of intelligence gathering and incident response helps to thwart a large number of attacks before they happen, because the attackers (most of which are automated bots) are blocked before they have a chance to move on to other protected servers.Other useful features include email notification when hosts are blocked, and counter resets after successful authentication to prevent accidental blacklisting caused by fat fingered admins. :-)

For those of you using Ubuntu 7.04 (Feisty Fawn) and above, it is available in the Universe repository:

$ sudo apt-get install denyhosts

Edit and customize /etc/denyhosts.conf for your desired options, and restart the service:

$ sudo /etc/init.d/denyhosts restart

Ubuntu 6.06.1 LTS will need a manual installation, as it is not included in the repositories.

Be sure to check out the project at http://denyhosts.sourceforge.net.

Secure Internet Access via SSH Proxy

Posted on June 22nd, 2007 in Tech Tips by gmendoza

An OpenSSH server can be used as a SOCKS compliant proxy, allowing one to tunnel virtually any type of traffic via the SSH protocol. This is very useful when surfing the web on untrusted networks such as hotel internet services and wireless hotspots. You just never know who’s snooping in on your data.

All you need is external access to a trusted OpenSSH server, perhaps the one you have at home, work, etc. If you’re using your laptop to surf the internet at your local coffee shop, you’ll simply need to establish a connection to that external SSH server using the appropriate client variables, and configure your web browser’s proxy settings to connect to a locally defined TCP port.

Backup Delivery via SSH

Posted on June 5th, 2007 in Tech Tips by gmendoza

If you’re not going to use tapes, CD’s, DVD’s, or other form of attached media for storing your backups, you’re more than likely going to use some form of a remote network storage repository. There are many ways to ship your *nix backups across a network to a remote file system. Using SSH (and its related tools) is among the most popular methods for this delivery process as it can be relatively fast, free, secure, and very flexible.

In the following examples, I’ll show you three ways to ship an archived folder to a remote SSH server.