X-Recipient: archive-cygwin AT delorie DOT com X-Spam-Check-By: sourceware.org To: References: <47b8d665 DOT 02fd220a DOT 6f30 DOT 11eb AT mx DOT google DOT com> In-Reply-To: Subject: RE: Stop Brute Force Attack on SSH Date: Sun, 17 Feb 2008 20:09:41 -0600 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" X-Mailer: Microsoft Office Outlook 12.0 Content-Language: en-us From: "Kyle A. Dawson" Message-ID: <47b8e8ea.4f99220a.5055.ffffefe0@mx.google.com> X-IsSubscribed: yes Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by delorie.com id m1I2AMDn003632 That is what I was looking for. I will try this tonight, thanks. -----Original Message----- From: cygwin-owner AT cygwin DOT com [mailto:cygwin-owner AT cygwin DOT com] On Behalf Of René Berber Sent: Sunday, February 17, 2008 7:53 PM To: cygwin AT cygwin DOT com Subject: Re: Stop Brute Force Attack on SSH Kyle Dawson wrote: > How can I stop attacks on my ssh demon? I see thousands of attempts every > day. I have, I believe good password policy but since I have clients, not > 100% sure. Is there some config that I can set? One ip address comes in > and tries for a day or so. Can it see that it is the same ip and just > deny? Any tools that can help? Install DenyHosts or Fail2ban : http://denyhosts.sourceforge.net/ http://www.fail2ban.org/wiki/index.php/Main_Page Both are Python programs and both use the syslog log (either syslog-ng or the syslog wich comes with inetutils), so you have to install that first from the Cygwin packages (i.e. using Cygwin's setup.exe), then since there is no package for DenyHosts or Fail2ban, download the source, expand the package (with 'tar xvf ') and do: python setup.py install To finish with DenyHosts you need to configure it, meaning edit the file in /usr/share/denyhosts/denyhosts.cfg, only a few things need change but is better to get acquainted with the available options, and also edit the 3 lines near the top of /usr/share/denyhosts/daemon-control. Add the service using: cygrunsrv -I DenyHosts -p /usr/share/denyhosts/daemon-control -a start \ -d DenyHosts -f "DenyHosts 2.6" -y sshd -x /var/run/denyhosts.pid -o cygrunsrv -S DenyHosts The (interesting) options I use in the config file are: SECURE_LOG = /var/log/messages HOSTS_DENY = /etc/hosts.deny PURGE_DENY = 1d BLOCK_SERVICE = sshd DENY_THRESHOLD_INVALID = 3 DENY_THRESHOLD_VALID = 5 DENY_THRESHOLD_ROOT = 1 DENY_THRESHOLD_RESTRICTED = 1 WORK_DIR = /usr/share/denyhosts/data LOCK_FILE = /var/run/denyhosts.pid SYSLOG_REPORT=YES AGE_RESET_VALID=5d AGE_RESET_ROOT=25d AGE_RESET_RESTRICTED=25d AGE_RESET_INVALID=10d RESET_ON_SUCCESS = yes USERDEF_FAILED_ENTRY_REGEX=User (?P\S+) from (::ffff:)?(?P\S+) not allowed because not listed in.* DAEMON_LOG = /var/log/denyhosts DAEMON_LOG_TIME_FORMAT = %b %d %T DAEMON_SLEEP = 15s DAEMON_PURGE = 1h SYNC_SERVER = http://xmlrpc.denyhosts.net:9911 SYNC_INTERVAL = 1h SYNC_UPLOAD = yes SYNC_DOWNLOAD = yes SYNC_DOWNLOAD_THRESHOLD = 3 SYNC_DOWNLOAD_RESILIENCY = 5h Optionally you can create 2 files to add which users are "critical", since there is no root in Windows I added Administrator and a few others that are favorites of dictionary attacks. Also the white list. Those 2 files don't exist by default, they are: /usr/share/denyhosts/data/allowed-hosts /usr/share/denyhosts/data/restricted-usernames But of course all that is documented. -- René Berber -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/ -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/