Install and Configure denyhosts on Ubuntu 8.04 Hardy Heron
Having OpenSSH deamon running is a great thing as you have an access to your Ubuntu shell from anywhere. Unfortunately there are some people that are running tools which scan IP addresses and check open ports. If the tool finds that you have ssh running it will start attacking your server trying to login using dictionary attack or brute force. You will see it in /var/log/auth.log
| sshd[25299]: Failed password for invalid user apple from 218.102.23.197 port 42909 ssh2 sshd[25301]: pam_winbind(ssh:auth): getting password (0×00000000) sshd[25301]: pam_winbind(ssh:auth): request failed: No such user, PAM error was User not known to the underlying authentication module (10), NT error was NT_STATUS_NO_SUCH_USER sshd[25301]: pam_unix(ssh:auth): unrecognized option [bullok_secure] Aug 6 21:40:59 luna sshd[25301]: pam_unix(ssh:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=imsp007.netvigator.com user=root sshd[25301]: Failed password for root from 218.102.23.197 port 42970 ssh2 sshd[25303]: Invalid user brian from 218.102.23.197 sshd[25303]: pam_winbind(ssh:auth): getting password (0×00000000) sshd[25303]: pam_winbind(ssh:auth): request failed: No such user, PAM error was User not known to the underlying authentication module (10), NT error was NT_STATUS_NO_SUCH_USER sshd[25303]: pam_unix(ssh:auth): unrecognized option [bullok_secure] sshd[25303]: pam_unix(ssh:auth): check pass; user unknown sshd[25303]: pam_unix(ssh:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=imsp007.netvigator.com |
This is an authentic example from my friend’s server that was configured to authenticate with Active Directory in Windows 2003.
And that’s how they get you:
| sshd[23781]: pam_winbind(ssh:auth): getting password (0×00000000) sshd[23781]: pam_winbind(ssh:auth): user ‘jane’ granted access sshd[23781]: pam_winbind(ssh:account): user ‘jane’ OK sshd[23781]: pam_winbind(ssh:account): user ‘jane’ granted access sshd[23781]: Accepted password for jane from 172.173.13.22 port 1190 ssh2 |
The cure:
You can close port 22, but that will not allow you to login or install denyhosts which is a great python script used to prevent brute force hacking of your SSH server.
This instructions are for Hardy Heron 8.04:
1. Install denyhosts:
| sudo apt-get install denyhosts |
2. Edit the denyhosts configuration file:
| sudo nano /etc/denyhosts.conf |
| # never purge: PURGE_DENY = # # purge entries older than 1 week #PURGE_DENY = 1w # # purge entries older than 5 days PURGE_DENY = 5d # To block all services for the offending host: # To block only sshd: |
)And that’s all! If you would like to go deeper into the configuration, check this link:
http://denyhosts.sourceforge.net/faq.html
hiddy is discussing. 
hiddy 6:59 pm on July 23, 2009 Permalink |
Watch out for log injection that may lock you out!
Easy to fix if you know about it :
http://www.ossec.net/en/attacking-loganalysis.html