RubyForge has always been plagued by dictionary attacks - scripts that hit the SSH port 10K times a day trying to guess passwords. This wastes resources and, more annoyingly, causes the logwatch reports to be huge. They were getting up to 500-600 KB per day.
So I set up DenyHosts, which monitors
secure.log and adds apparent attackers to
hosts.deny. This was just what the doctor ordered; my logwatch reports have gone down to a much more maneagable 10K. A couple of things:
- DenyHosts requires a newish version of Python, but that was easy to set up without breaking any current apps. Just
./configure --prefix=/usr/local/python2.4, good times.
- The default settings are a bit too aggressive for RubyForge, so I tweaked
DENY_THRESHOLD_VALIDto allow 20 failed login attempts for existing accounts and
DENY_THRESHOLD_INVALIDto allow 15 failed attempts for nonexistent accounts. But I left
DENY_THRESHOLD_ROOTat 1; anyone trying to SSH in as root deserves an immediate pummeling,