X-Recipient: archive-cygwin AT delorie DOT com X-Spam-Check-By: sourceware.org To: cygwin AT cygwin DOT com From: =?ISO-8859-1?Q?Ren=E9_Berber?= Subject: Re: Stop Brute Force Attack on SSH Date: Sun, 17 Feb 2008 19:53:16 -0600 Lines: 82 Message-ID: References: <47b8d665 DOT 02fd220a DOT 6f30 DOT 11eb AT mx DOT google DOT com> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable User-Agent: Thunderbird 2.0.0.9 (Windows/20071031) In-Reply-To: <47b8d665.02fd220a.6f30.11eb@mx.google.com> X-IsSubscribed: yes Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com Kyle Dawson wrote: > How can I stop attacks on my ssh demon? I see thousands of attempts eve= ry > day. I have, I believe good password policy but since I have clients, n= ot > 100% sure. Is there some config that I can set? One ip address comes in > and tries for a day or so. Can it see that it is the same ip and just > deny? Any tools that can help? Install DenyHosts or Fail2ban : http://denyhosts.sourceforge.net/ http://www.fail2ban.org/wiki/index.php/Main_Page Both are Python programs and both use the syslog log (either syslog-ng=20 or the syslog wich comes with inetutils), so you have to install that=20 first from the Cygwin packages (i.e. using Cygwin's setup.exe), then=20 since there is no package for DenyHosts or Fail2ban, download the=20 source, expand the package (with 'tar xvf ') and do: python setup.py install To finish with DenyHosts you need to configure it, meaning edit the file=20 in /usr/share/denyhosts/denyhosts.cfg, only a few things need change but=20 is better to get acquainted with the available options, and also edit=20 the 3 lines near the top of /usr/share/denyhosts/daemon-control. Add=20 the service using: cygrunsrv -I DenyHosts -p /usr/share/denyhosts/daemon-control -a start \ -d DenyHosts -f "DenyHosts 2.6" -y sshd -x /var/run/denyhosts.pid -o cygrunsrv -S DenyHosts The (interesting) options I use in the config file are: SECURE_LOG =3D /var/log/messages HOSTS_DENY =3D /etc/hosts.deny PURGE_DENY =3D 1d BLOCK_SERVICE =3D sshd DENY_THRESHOLD_INVALID =3D 3 DENY_THRESHOLD_VALID =3D 5 DENY_THRESHOLD_ROOT =3D 1 DENY_THRESHOLD_RESTRICTED =3D 1 WORK_DIR =3D /usr/share/denyhosts/data LOCK_FILE =3D /var/run/denyhosts.pid SYSLOG_REPORT=3DYES AGE_RESET_VALID=3D5d AGE_RESET_ROOT=3D25d AGE_RESET_RESTRICTED=3D25d AGE_RESET_INVALID=3D10d RESET_ON_SUCCESS =3D yes USERDEF_FAILED_ENTRY_REGEX=3DUser (?P\S+) from=20 (::ffff:)?(?P\S+) not allowed because not listed in.* DAEMON_LOG =3D /var/log/denyhosts DAEMON_LOG_TIME_FORMAT =3D %b %d %T DAEMON_SLEEP =3D 15s DAEMON_PURGE =3D 1h SYNC_SERVER =3D http://xmlrpc.denyhosts.net:9911 SYNC_INTERVAL =3D 1h SYNC_UPLOAD =3D yes SYNC_DOWNLOAD =3D yes SYNC_DOWNLOAD_THRESHOLD =3D 3 SYNC_DOWNLOAD_RESILIENCY =3D 5h Optionally you can create 2 files to add which users are "critical",=20 since there is no root in Windows I added Administrator and a few others=20 that are favorites of dictionary attacks. Also the white list. Those 2=20 files don't exist by default, they are: /usr/share/denyhosts/data/allowed-hosts /usr/share/denyhosts/data/restricted-usernames But of course all that is documented. --=20 Ren=E9 Berber -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/