If I had routinely viewed my sshd server logs I would have discovered many break-in attempts and
manually entered these rogue hosts into /etc/hosts.deny.
However, this would become a tedious process of sifting through the logs and copying ip addresses
from the log to /etc/hosts.deny. After running DenyHosts a single time through one of my log
files, I discoverd over 120 rogue hosts!
The break-in
The real motivation for this project was that someone hacked into one of my servers. Only by chance
did I even notice! Perhaps more of an accident than anything else, I ran the w command (which
prints the currently logged in accounts on a given system) and noticed a user, test logged
into my system. I had never configured such a user. I think it was installed by a previous Redhat
version, but honestly, I don't know. After booting the user and disabling the account I noticed that
the user had hacked in via brute force (lots of unsuccessful attempts and then, eureka!). I
determined that this account was apparently shared among atleast 3 hosts for about a week before
I stumbled onto the issue.
Upon further review
I began to investigate what the hackers were doing once they gained access to my server. In the
test home directory, a program assh was being run. Apparently, this was a script
designed to launch break-in attempts from my system against others. So rather than the malicious
attackers launch further attacks from their own sites, they were using my sever as a launchpad for
their efforts.
The malicious program was generating several log files. I scanned them and realized that the evil
doers had successfully hacked into other systems. They even gained root access on certain systems!
If only...
Had I created DenyHosts prior to the successful hack into my server, those malicious hackers wouldn't
have gained access to my server (at least not via ssh) because after a few failed attempts their
host would have ended up in /etc/hosts.deny. The script they were running would have realized it was
a lost cause and moved onto another server... perhaps yours... unless you are fortunate
enough to be running DenyHosts, that is.
The moral
Run DenyHosts or else risk being hacked and having your server compromised.