Every now and then I rebuild a machine that I’m leaving permanently plugged in to the internet and available via ssh. I limit ssh to key based logins only and I encrypt all my keys, so I’m reasonably comfortable that this is “secure enough”, but after a couple of months I always notice that I’m getting heaps of connections to ssh that are slowing down my link.
The security implications don’t really bother me because I basically trust the rest of the security I’ve implemented but there is a trivial way to stop this and I always forget what it is.
I found it again so I thought I’d write it down somewhere… In Ubuntu, just install “denyhosts”. If your config is still mostly standard, sshd will be pumping authentication errors in to /var/log/auth.log and denyhosts will simply pick these up and put the relevant bad IPs in /etc/hosts.deny.
denyhosts picked up all but the bottom 3 IPs I had trying to crack my system:
1 2 3 4 5 6 7 8 9 10 11 12 13 14
… those guys weren’t very dedicated any way, I’ll give them another chance to lift their game.
They tried a massive range of different user names:
Apparently the first few times they tried some of these names they had the wrong password though:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21
little did they know that password authentication is not configured to let anyone in, let alone this “test” fellow.