Automatically prevent SSH DOS attacks on Linux using denyhosts

There's a really nice python based package named "denyhosts" which scans for repeated authentication failure from certain IP addresses and denies SSH access from those IP address into your machine.
This is really good if you have SSH port open on your live servers. I tried this on a Debian server that I have.

Although its very easy to implement it, I'm going to blog the steps.

1. Install the software

apt-get install denyhosts

2. Edit the /etc/denyhosts.conf

In case of my debian system, the authentication failures were getting logged in /var/log/auth/auth.info, hence I changed the following line from its default.

SECURE_LOG = /var/log/auth/auth.info

3. Restart the denyhosts service.

/etc/init.d/denyhosts restart



Now test if this really works

1. On a separate Linux system (attacker), create a script named brute.sh (ensure you have package `expect` and its dependencies installed: apt-get install expect) with following contents

#!/usr/bin/expect -f
set timeout -1
spawn ssh -l user1 10.1.0.200
set pass xyzRANDOM
expect {
password: {send "$pass\r" ; exp_continue}
eof exit
}

Here, 10.1.0.200 is the IP address of the system under attack (target). The target system may have a user "user1" but not the same password "xyzRANDOM".


2. Now from shell run the brute.sh in infinite loop like this

while true ; do /root/brute.sh ; done

Keep the script running for sometime and parallely monitor, /etc/hosts.deny on the target Linux box.

3. Once the loop above starts showing the following line "ssh_exchange_identification: Connection closed by remote host" , it means denyhosts software has detected brute force attach from attacker IP.
The /etc/hosts.deny file will contain the IP address of the attacker machine. In my case it appeared like this

sshd: 10.1.254.200


Note:
1. The first time denyhosts service ran, it took longer. I think it parsed through the auth.info file for already logged authentication failues and simply put those IP addresses in the /etc/hosts.deny file.
2. The brute.sh is a simple script meant to check if the denyhosts is really working. In real world, brute force attack may use different sets of username and passwords. However, since denyhosts works on the principle of IP address, it would detect the failures and deny those IP addresses.

Pretty neat!