This is the mail archive of the
cygwin
mailing list for the Cygwin project.
Re: Stop Brute Force Attack on SSH
- From: René Berber <r dot berber at computer dot org>
- To: cygwin at cygwin dot com
- Date: Sun, 17 Feb 2008 19:53:16 -0600
- Subject: Re: Stop Brute Force Attack on SSH
- References: <47b8d665.02fd220a.6f30.11eb@mx.google.com>
Kyle Dawson wrote:
How can I stop attacks on my ssh demon? I see thousands of attempts every
day. I have, I believe good password policy but since I have clients, not
100% sure. Is there some config that I can set? One ip address comes in
and tries for a day or so. Can it see that it is the same ip and just
deny? Any tools that can help?
Install DenyHosts or Fail2ban :
http://denyhosts.sourceforge.net/
http://www.fail2ban.org/wiki/index.php/Main_Page
Both are Python programs and both use the syslog log (either syslog-ng
or the syslog wich comes with inetutils), so you have to install that
first from the Cygwin packages (i.e. using Cygwin's setup.exe), then
since there is no package for DenyHosts or Fail2ban, download the
source, expand the package (with 'tar xvf <name-of-package.tar.gz>') and do:
python setup.py install
To finish with DenyHosts you need to configure it, meaning edit the file
in /usr/share/denyhosts/denyhosts.cfg, only a few things need change but
is better to get acquainted with the available options, and also edit
the 3 lines near the top of /usr/share/denyhosts/daemon-control. Add
the service using:
cygrunsrv -I DenyHosts -p /usr/share/denyhosts/daemon-control -a start \
-d DenyHosts -f "DenyHosts 2.6" -y sshd -x /var/run/denyhosts.pid -o
cygrunsrv -S DenyHosts
The (interesting) options I use in the config file are:
SECURE_LOG = /var/log/messages
HOSTS_DENY = /etc/hosts.deny
PURGE_DENY = 1d
BLOCK_SERVICE = sshd
DENY_THRESHOLD_INVALID = 3
DENY_THRESHOLD_VALID = 5
DENY_THRESHOLD_ROOT = 1
DENY_THRESHOLD_RESTRICTED = 1
WORK_DIR = /usr/share/denyhosts/data
LOCK_FILE = /var/run/denyhosts.pid
SYSLOG_REPORT=YES
AGE_RESET_VALID=5d
AGE_RESET_ROOT=25d
AGE_RESET_RESTRICTED=25d
AGE_RESET_INVALID=10d
RESET_ON_SUCCESS = yes
USERDEF_FAILED_ENTRY_REGEX=User (?P<user>\S+) from
(::ffff:)?(?P<host>\S+) not allowed because not listed in.*
DAEMON_LOG = /var/log/denyhosts
DAEMON_LOG_TIME_FORMAT = %b %d %T
DAEMON_SLEEP = 15s
DAEMON_PURGE = 1h
SYNC_SERVER = http://xmlrpc.denyhosts.net:9911
SYNC_INTERVAL = 1h
SYNC_UPLOAD = yes
SYNC_DOWNLOAD = yes
SYNC_DOWNLOAD_THRESHOLD = 3
SYNC_DOWNLOAD_RESILIENCY = 5h
Optionally you can create 2 files to add which users are "critical",
since there is no root in Windows I added Administrator and a few others
that are favorites of dictionary attacks. Also the white list. Those 2
files don't exist by default, they are:
/usr/share/denyhosts/data/allowed-hosts
/usr/share/denyhosts/data/restricted-usernames
But of course all that is documented.
--
René Berber
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/