Fun with DenyHosts

06 Feb 2006

RubyForge has always been plagued by dictionary attacks - scripts that hit the SSH port 10K times a day trying to guess passwords. This wastes resources and, more annoyingly, causes the logwatch reports to be huge. They were getting up to 500-600 KB per day.

So I set up DenyHosts, which monitors secure.log and adds apparent attackers to hosts.deny. This was just what the doctor ordered; my logwatch reports have gone down to a much more maneagable 10K. A couple of things:

  • DenyHosts requires a newish version of Python, but that was easy to set up without breaking any current apps. Just ./configure --prefix=/usr/local/python2.4, good times.
  • The default settings are a bit too aggressive for RubyForge, so I tweaked DENY_THRESHOLD_VALID to allow 20 failed login attempts for existing accounts and DENY_THRESHOLD_INVALID to allow 15 failed attempts for nonexistent accounts. But I left DENY_THRESHOLD_ROOT at 1; anyone trying to SSH in as root deserves an immediate pummeling,

Props to Phil Schwartz for writing such a fine app. I intend to make a donation; it's definitely worth it.