DenyHosts

 

Home | FAQ | About | Statistics | Links | Features | Download | SourceForge

Hack Tale

If I had routinely viewed my sshd server logs I would have discovered many break-in attempts and manually entered these rogue hosts into /etc/hosts.deny.

However, this would become a tedious process of sifting through the logs and copying ip addresses from the log to /etc/hosts.deny. After running DenyHosts a single time through one of my log files, I discoverd over 120 rogue hosts!

The break-in

The real motivation for this project was that someone hacked into one of my servers. Only by chance did I even notice! Perhaps more of an accident than anything else, I ran the w command (which prints the currently logged in accounts on a given system) and noticed a user, test logged into my system. I had never configured such a user. I think it was installed by a previous Redhat version, but honestly, I don't know. After booting the user and disabling the account I noticed that the user had hacked in via brute force (lots of unsuccessful attempts and then, eureka!). I determined that this account was apparently shared among atleast 3 hosts for about a week before I stumbled onto the issue.

Upon further review

I began to investigate what the hackers were doing once they gained access to my server. In the test home directory, a program assh was being run. Apparently, this was a script designed to launch break-in attempts from my system against others. So rather than the malicious attackers launch further attacks from their own sites, they were using my sever as a launchpad for their efforts.

The malicious program was generating several log files. I scanned them and realized that the evil doers had successfully hacked into other systems. They even gained root access on certain systems!

If only...

Had I created DenyHosts prior to the successful hack into my server, those malicious hackers wouldn't have gained access to my server (at least not via ssh) because after a few failed attempts their host would have ended up in /etc/hosts.deny. The script they were running would have realized it was a lost cause and moved onto another server... perhaps yours... unless you are fortunate enough to be running DenyHosts, that is.

The moral

Run DenyHosts or else risk being hacked and having your server compromised.

Home | FAQ | Links | Features | Download | SourceForge
Global Cooling