When I saw this in my daily log report. I was like WTF! Script kiddies are having fun. Little bit of Googling and I installed the denyhosts package on Feodra Core 7. Here’s the step by step guide.
shell>yum install denyhosts
Most probably denyhosts is going to run on server restarts. However, make sure that’s the case by
shell>chkconfig denyhosts on
The denyhosts package watches the /var/log/secure log file at a fixed interval and then when it finds a match (like illegal login attempts, etc.) it adds an entry in the /etc/hosts.deny file. The /etc/hosts.deny file contains pairs of entries in network daemon, client ip (or hostname) format which looks like this:
After installing the denyhosts package, you can tweak the configuration by modifying the /etc/denyhosts.conf file. Here’s what I changed essentially
#Block the host after 3 failed attempts
#for non-existing logins
DENY_THRESHOLD_INVALID = 3
#Block the host after 5 failed
#attempts of existing logins
DENY_THRESHOLD_VALID = 5
#Block after 3 failed attempts for root login.
#Ideally, you should disable root login for ssh
DENY_THRESHOLD_ROOT = 3
#Good idea to capture the host name from IP
#I left this blank as we capture the
#reports via logwatch
Here’s what my /etc/hosts.deny looked like after a few days
# DenyHosts: Sun Sep 7 06:00:08 2008 | sshd: 220.127.116.11
# DenyHosts: Sun Sep 7 18:34:01 2008 | sshd: 18.104.22.168
# DenyHosts: Mon Sep 8 05:05:04 2008 | sshd: 22.214.171.124
# DenyHosts: Tue Sep 9 01:36:18 2008 | sshd: 126.96.36.199
Don’t forget to restart denyhosts if you change the config file.