X-Recipient:	archive-cygwin AT delorie DOT com
X-Spam-Check-By:	sourceware.org
To:	cygwin AT cygwin DOT com
From:	=?ISO-8859-1?Q?Ren=E9_Berber?= <r DOT berber AT computer DOT org>
Subject:	Re: Stop Brute Force Attack on SSH
Date:	Sun, 17 Feb 2008 19:53:16 -0600
Lines:	82
Message-ID:	<fpaoeh$dpi$1@ger.gmane.org>
References:	<47b8d665 DOT 02fd220a DOT 6f30 DOT 11eb AT mx DOT google DOT com>
Mime-Version:	1.0
User-Agent:	Thunderbird 2.0.0.9 (Windows/20071031)
In-Reply-To:	<47b8d665.02fd220a.6f30.11eb@mx.google.com>
X-IsSubscribed:	yes
Mailing-List:	contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id:	<cygwin.cygwin.com>
List-Unsubscribe:	<mailto:cygwin-unsubscribe-archive-cygwin=delorie DOT com AT cygwin DOT com>
List-Subscribe:	<mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive:	<http://sourceware.org/ml/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender:	cygwin-owner AT cygwin DOT com
Mail-Followup-To:	cygwin AT cygwin DOT com
Delivered-To:	mailing list cygwin AT cygwin DOT com

Kyle Dawson wrote:

> How can I stop attacks on my ssh demon?   I see thousands of attempts eve=
ry
> day.  I have, I believe good password policy but since I have clients,  n=
ot
> 100% sure.  Is there some config that  I can set?  One ip address comes in
> and tries for a day or so.  Can it see that it is the same ip and just
> deny?  Any tools that can help?

Install DenyHosts or Fail2ban :

   http://denyhosts.sourceforge.net/
   http://www.fail2ban.org/wiki/index.php/Main_Page

Both are Python programs and both use the syslog log (either syslog-ng=20
or the syslog wich comes with inetutils), so you have to install that=20
first from the Cygwin packages (i.e. using Cygwin's setup.exe), then=20
since there is no package for DenyHosts or Fail2ban, download the=20
source, expand the package (with 'tar xvf <name-of-package.tar.gz>') and do:

   python setup.py install

To finish with DenyHosts you need to configure it, meaning edit the file=20
in /usr/share/denyhosts/denyhosts.cfg, only a few things need change but=20
is better to get acquainted with the available options, and also edit=20
the 3 lines near the top of /usr/share/denyhosts/daemon-control.  Add=20
the service using:

cygrunsrv -I DenyHosts -p /usr/share/denyhosts/daemon-control -a start \
-d DenyHosts -f "DenyHosts 2.6" -y sshd -x /var/run/denyhosts.pid -o

cygrunsrv -S DenyHosts

The (interesting) options I use in the config file are:

SECURE_LOG =3D /var/log/messages
HOSTS_DENY =3D /etc/hosts.deny
PURGE_DENY =3D 1d
BLOCK_SERVICE  =3D sshd
DENY_THRESHOLD_INVALID =3D 3
DENY_THRESHOLD_VALID =3D 5
DENY_THRESHOLD_ROOT =3D 1
DENY_THRESHOLD_RESTRICTED =3D 1
WORK_DIR =3D /usr/share/denyhosts/data
LOCK_FILE =3D /var/run/denyhosts.pid
SYSLOG_REPORT=3DYES
AGE_RESET_VALID=3D5d
AGE_RESET_ROOT=3D25d
AGE_RESET_RESTRICTED=3D25d
AGE_RESET_INVALID=3D10d
RESET_ON_SUCCESS =3D yes
USERDEF_FAILED_ENTRY_REGEX=3DUser (?P<user>\S+) from=20
(::ffff:)?(?P<host>\S+) not allowed because not listed in.*
DAEMON_LOG =3D /var/log/denyhosts
DAEMON_LOG_TIME_FORMAT =3D %b %d %T
DAEMON_SLEEP =3D 15s
DAEMON_PURGE =3D 1h
SYNC_SERVER =3D http://xmlrpc.denyhosts.net:9911
SYNC_INTERVAL =3D 1h
SYNC_UPLOAD =3D yes
SYNC_DOWNLOAD =3D yes
SYNC_DOWNLOAD_THRESHOLD =3D 3
SYNC_DOWNLOAD_RESILIENCY =3D 5h

Optionally you can create 2 files to add which users are "critical",=20
since there is no root in Windows I added Administrator and a few others=20
that are favorites of dictionary attacks.  Also the white list.  Those 2=20
files don't exist by default, they are:

   /usr/share/denyhosts/data/allowed-hosts
   /usr/share/denyhosts/data/restricted-usernames

But of course all that is documented.
--=20
Ren=E9 Berber


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

- Raw text -