Reinforce ssh security with Denyhosts

Posted on 2009/11/10


…For years I’ve been saying security consists of protection, detection and response–and you need all three to have good security…

March 2007, Bruce Schneier

I always read Schneier’s site carefully, because everything he says is precise, consistent and grounded in experience. When I stumbled upon this concept of three components of security, I realized that most of my systems have only the first component: protection. My ssh servers, for example, use authentication through RSA key pairs, do not allow root login and listen to a non-standard port. But I have no way of knowing whether these servers were under a brute force attack (for example), unless I check the logs each day when I come home. And even then, that means the attacker had an entire day to try passwords.

Enter Denyhosts.

Denyhosts is a service that detects failed login attempts and reacts to them by adding into the hosts.deny file the IP of the offending hosts that are trying to login. It can also be configured to send a mail when it detects a possible attack. With ssh+Denyhosts  the security of my systems contains all three components:

  • Protection: users cannot login to the servers unless they know the port of the service and possess a strong authentication key.
  • Detection: the login attempts are logged and constantly checked by the Denyhosts service.
  • Response: the Denyhosts service blocks the offending hosts and reports the attack to the administrator, that in turn can take other measures such as stopping the ssh service, adding a rule to the firewall or trace the IP from whence the attack comes.

This setup could also be taken as example for many other applications, and the added strength of the components can be evaluated. For example, in my case the protection against brute force attacks was strong anyway, because of the RSA key authentication, and the weakest link could be, for example, the location of the private keys. A strong detection system could then also audit any successful access and mail the user that is logging in, in order to alarm him if someone stole his account.

Security is as strong as its weakest link; for this reason it is important to have a good understanding of the system and its vulnerabilities, and to act accordingly.

Posted in: Internet, Security