SSH Login Attempts – July 08, 2008
I think I have written before about DenyHosts, but this evening, it prevented somewhere around twenty thousand individual hosts trying to login to one of my servers. The hackers have gotten smarter - that they used to just try from one host, which was trivially blockable, even manually. But, thanks to denyhosts (and the fairly easily trackable behavior by the hackers), they think they get a couple chances to guess a password before being blocked. Note, that I say "think", because they actually don't get any, due to the way they are doing it.
But now, they are trying to be trickier, by only trying five times, and then using a global network, switching to a different machine in a different country, and trying five times from that computer.
Fortunately, DenyHosts has a blacklist that I can contribute to, and my system sends all of the IP addresses that attempt to login into mine, and so as long as someone is using denyhosts, they'll benefit from my logging, and perhaps the hacker won't even get a single chance to login to someone else's server, since they'll already be blacklisted.
I am not sure what the hackers think they are going to achieve on my servers - seems like it would be better to spend time elsewhere. They have figured out I use denyhosts, or a similar application, so seems like they should go to an easier target.
Perhaps their goal is some sort of denial of service, but I don't think that is particularly possible in this case, or at least, not in the way they are going about doing it. I don't know if the hosts.deny file has a practical limit to the number of entries - I don't notice any lag time when logging in, ie. the parsing of the file doesn't seem to take that long.
Maybe the goal is to get so many IP addresses in the database that people can't use it, and maybe if the case of dynamic IP addressing, one of my customers could end up with a blacklisted IP. So far, so good though, so we'll see how it goes.
A whitelist is quite annoying for folks with a dynamic IP. I was recently working with a customer whose IP changes frequently, and he has to go into a web admin page to change his IP to be able to SSH.
And notice that the point of my post is that denyhosts has been working so well that I wouldn't ever switch to a whitelist at this point.