Stop Brute Force Attack on SSH

Kyle A. Dawson kyle.a.dawson@gmail.com
Mon Feb 18 03:34:00 GMT 2008


That is what I was looking for.  I will try this tonight, thanks.

-----Original Message-----
From: cygwin-owner@cygwin.com [mailto:cygwin-owner@cygwin.com] On Behalf Of
René Berber
Sent: Sunday, February 17, 2008 7:53 PM
To: cygwin@cygwin.com
Subject: Re: Stop Brute Force Attack on SSH

Kyle Dawson wrote:

> How can I stop attacks on my ssh demon?   I see thousands of attempts
every
> day.  I have, I believe good password policy but since I have clients,
not
> 100% sure.  Is there some config that  I can set?  One ip address comes in
> and tries for a day or so.  Can it see that it is the same ip and just
> deny?  Any tools that can help?

Install DenyHosts or Fail2ban :

   http://denyhosts.sourceforge.net/
   http://www.fail2ban.org/wiki/index.php/Main_Page

Both are Python programs and both use the syslog log (either syslog-ng 
or the syslog wich comes with inetutils), so you have to install that 
first from the Cygwin packages (i.e. using Cygwin's setup.exe), then 
since there is no package for DenyHosts or Fail2ban, download the 
source, expand the package (with 'tar xvf <name-of-package.tar.gz>') and do:

   python setup.py install

To finish with DenyHosts you need to configure it, meaning edit the file 
in /usr/share/denyhosts/denyhosts.cfg, only a few things need change but 
is better to get acquainted with the available options, and also edit 
the 3 lines near the top of /usr/share/denyhosts/daemon-control.  Add 
the service using:

cygrunsrv -I DenyHosts -p /usr/share/denyhosts/daemon-control -a start \
-d DenyHosts -f "DenyHosts 2.6" -y sshd -x /var/run/denyhosts.pid -o

cygrunsrv -S DenyHosts

The (interesting) options I use in the config file are:

SECURE_LOG = /var/log/messages
HOSTS_DENY = /etc/hosts.deny
PURGE_DENY = 1d
BLOCK_SERVICE  = sshd
DENY_THRESHOLD_INVALID = 3
DENY_THRESHOLD_VALID = 5
DENY_THRESHOLD_ROOT = 1
DENY_THRESHOLD_RESTRICTED = 1
WORK_DIR = /usr/share/denyhosts/data
LOCK_FILE = /var/run/denyhosts.pid
SYSLOG_REPORT=YES
AGE_RESET_VALID=5d
AGE_RESET_ROOT=25d
AGE_RESET_RESTRICTED=25d
AGE_RESET_INVALID=10d
RESET_ON_SUCCESS = yes
USERDEF_FAILED_ENTRY_REGEX=User (?P<user>\S+) from 
(::ffff:)?(?P<host>\S+) not allowed because not listed in.*
DAEMON_LOG = /var/log/denyhosts
DAEMON_LOG_TIME_FORMAT = %b %d %T
DAEMON_SLEEP = 15s
DAEMON_PURGE = 1h
SYNC_SERVER = http://xmlrpc.denyhosts.net:9911
SYNC_INTERVAL = 1h
SYNC_UPLOAD = yes
SYNC_DOWNLOAD = yes
SYNC_DOWNLOAD_THRESHOLD = 3
SYNC_DOWNLOAD_RESILIENCY = 5h

Optionally you can create 2 files to add which users are "critical", 
since there is no root in Windows I added Administrator and a few others 
that are favorites of dictionary attacks.  Also the white list.  Those 2 
files don't exist by default, they are:

   /usr/share/denyhosts/data/allowed-hosts
   /usr/share/denyhosts/data/restricted-usernames

But of course all that is documented.
-- 
René Berber


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/



More information about the Cygwin mailing list