Offtopic — Crackers! (or praise for DenyHosts)

November 4, 2007

This post does not have anything to do with the GIMP. If you don’t care about Linux server administration, you should just skip this post.

I run a very small Ubuntu LAMP server that I use for small tasks such as Perl and C programming and a personal wiki. This morning, I was checking out /var/log/auth.log, and noticed multiple login failures for user ‘root’ from a strange IP; specifically 60.28.201.57. A whois lookup revealed that the IP was from China. The activity is typical of brute force cracking, so I started to get a little worried. Thinking I’d have to bite the bullet and install a firewall, something I didn’t want to do due to the very small amount of resources this server has, I did an apt-cache search for ‘firewall’ and began the tedious process of reviewing the results.

Well, I didn’t have to look long. Not far down the list was an entry called ‘denyhosts’ with the description: an utility to help sys admins thwart ssh hackers. Well this is exactly what I’m trying to prevent, so I went to their website and read up. It sounded perfect, so I went ahead and installed it. Immediately after install, I got a system message saying I had email. The email informed me that IP  60.28.201.57 had been added to the deny list. Wow! That was fast, and easy. I literally didn’t have to do anything. That’s the kind of tool I like! It’s also FOSS, and in the Ubuntu repositories.

In short, if you host a LAMP server, even if it’s not Ubuntu, I highly recommend DenyHosts as a simple solution for preventing this type of attack.