Every now and then I rebuild a machine that I’m leaving permanently plugged in to the internet and available via ssh. I limit ssh to key based logins only and I encrypt all my keys, so I’m reasonably comfortable that this is “secure enough”, but after a couple of months I always notice that I’m getting heaps of connections to ssh that are slowing down my link.

The security implications don’t really bother me because I basically trust the rest of the security I’ve implemented but there is a trivial way to stop this and I always forget what it is.

I found it again so I thought I’d write it down somewhere… In Ubuntu, just install “denyhosts”. If your config is still mostly standard, sshd will be pumping authentication errors in to /var/log/auth.log and denyhosts will simply pick these up and put the relevant bad IPs in /etc/hosts.deny.

denyhosts picked up all but the bottom 3 IPs I had trying to crack my system:

1
2
3
4
5
6
7
8
9
10
11
12
13
14

# grep 'Invalid user' /var/log/auth.log | sed 's/.*Invalid user //g' | sed 's/.* from//g' | sort | uniq -c | sort -nr
   1404  203.110.240.71
    264  210.169.213.211
    179  210.51.191.165
    134  217.91.230.179
     75  222.73.205.9
     28  125.141.237.100
     14  58.254.201.113
      9  88.134.254.37
      9  219.238.166.101
      8  212.76.68.158
      2  217.97.185.35
      2  122.155.5.132
      2  118.129.153.43

… those guys weren’t very dedicated any way, I’ll give them another chance to lift their game.

They tried a massive range of different user names:

1
2

# grep 'Invalid user' /var/log/auth.log | sed 's/.*Invalid user //g' | sed 's/ from.*//g' | sort | uniq -c | sort -nr | wc -l
1071

Apparently the first few times they tried some of these names they had the wrong password though:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21

# grep 'Invalid user' /var/log/auth.log | sed 's/.*Invalid user //g' | sed 's/ from.*//g' | sort | uniq -c | sort -nr | head -20
     67 test
     49 oracle
     47 admin
     46 user
     37 guest
     24 postgres
     22 administrator
     21 web
     21 vmail
     21 master
     21 info
     19 teamspeak
     18 tomcat
     18 ftp
     17 webmaster
     15 jboss
     14 ubuntu
     14 operator
     14 eric
     13 vsifax

little did they know that password authentication is not configured to let anyone in, let alone this “test” fellow.