HOWTO defend against SSH attacks

If a Debian server is the target of SSH attacks, /var/log/auth.log will contain lines like this: 

PAM_unix[12045]: authentication failure; (uid=0) -> root for ssh service
sshd[12045]: Failed password for root from 59.120.34.161 port 55700 ssh2
PAM_unix[12049]: authentication failure; (uid=0) -> root for ssh service
sshd[12049]: Failed password for root from 59.120.34.161 port 55820 ssh2
PAM_unix[12112]: authentication failure; (uid=0) -> root for ssh service
sshd[12112]: Failed password for root from 59.120.34.161 port 55975 ssh2
.. hundreds more

..that indicate naughty bots trying to get into the server.

Download the denyhosts RPM for python2.3, then: 

$ fakeroot alien DenyHosts-2.1-python2.3.noarch.rpm
$ sudo dpkg -i denyhosts_2.1-1_all.deb
$ cd /usr/share/denyhosts
$ sudo cp denyhosts.cfg-dist /etc/denyhosts.cfg
$ sudo chmod 700 /etc/denyhosts.cfg
$ sudo cp daemon-control-dist /etc/init.d/denyhosts
$ sudo chmod 700 /etc/init.d/denyhosts
$ sudo ln -s ../init.d/denyhosts /etc/rc2.d/S98denyhosts
$ sudo ln -s ../init.d/denyhosts /etc/rc6.d/K02denyhosts

..now edit /etc/init.d/denyhosts so these lines read: 

DENYHOSTS_BIN   = "/usr/bin/denyhosts.py"
DENYHOSTS_LOCK  = "/var/run/denyhosts.pid"
DENYHOSTS_CFG   = "/etc/denyhosts.cfg"

..and edit /etc/denyhosts.cfg to change these parameters: 

SECURE_LOG = /var/log/auth.log
WORK_DIR = /var/lib/denyhosts
LOCK_FILE = /var/run/denyhosts.pid
ADMIN_EMAIL = youraccount@yourdomain
SYNC_SERVER = http://xmlrpc.denyhosts.net:9911

If the server runs Debian woody, see below. Next: 

$ /etc/init.d/denyhosts start

After all this, /var/log/auth.log will look more like this: 

PAM_unix[12112]: authentication failure; (uid=0) -> root for ssh service
sshd[12112]: Failed password for root from 59.120.34.161 port 55975 ssh2
.. four more or whatever you configured
sshd[12121]: refused connect from 59.120.34.161
sshd[12122]: refused connect from 59.120.34.161
sshd[12123]: refused connect from 59.120.34.161
sshd[12124]: refused connect from 59.120.34.161

Debian woody

Denyhosts requires python 2.3 yet Debian woody does not include python2.3. 

$ wget http://eyck.forumakad.pl/woody/python2.3/python2.3_2.3.3-7_i386.deb
$ sudo dpkg -i python2.3_2.3.3-7_i386.deb

$Revision: 1.2 $, $Date: 2006/03/09 08:23:17 $

Valid HTML 4.01 Transitional