This application provides a set of shell scripts that helps to protect your Linux server from SSH attacks by applying IP block lists to your hosts.deny file. The solution uses minimum resources on your server.
One of the most annoying consequences of operating a public server on the internet is the amount of SSH attacks it will experience. You simply have to view your /var/log/auth.log to see what we mean. Since your server is publicly available you cannot prevent these attacks. What you can do is block them.
There are a few methods to block IP addresses from accessing your server. These include Fail2Ban, DenyHosts, or IPTables. While these solutions can be effective, they may be resource intensive or difficult to setup.
The am-deny-hosts application attempts to provide a simple, reliable, and easy to setup solution that can effectively reduce the risk that your server will be compromised by SSH attacks. This solution is also intended to minimize the resource utilization on your server and allow it to perform its function without wasting CPU cycles analysing your /var/log/auth.log file.
The shell scripts delivered with this application should work on any Linux server. They require basic system commands like sed, awk, grep, cat, and wget. By default, your system should include all of these commands except perhaps wget which can be easily installed.
You should have root access to your server to operate the application successfully. You can still test the scripts without root access before requesting an administrator to install it for you.
The shell scripts were tested on versions of Debian and Ubuntu. On other Linux flavors like Fedora, CentOS, RedHart, OpenSUSE, etc you should ensure that the ssh program includes the TCP wrappers library (libwrap.so.0).
- Download the application scripts to your server.
- Copy the scripts located in
/usr/local/bin/to a directory within your PATH environment. we recommend using the
/usr/local/bin/directory since it is usually in your system PATH by default.
- Use the
chmodcommand to set the permissions of the scripts to 755. This allows it to be executed by anyone but it will not allowed overwriting of your
/etc/hosts.denyexcept by the root user.
- Optionally, use the
chowncommand to set the owner and group of the scripts to
root. You have to be the root user to accomplish this successfully.
- Create crontab file or add a line to your existing crontab file with the following or similar contents.
# Execute am-deny-host at 10 minutes after midnight every day. # Redirect stderr and stdout output to /tmp/am-deny-hosts.log 10 0 * * * /user/local/bin/am-deny-hosts >> /tmp/am-deny-hosts.log 2>&1
- Activate the crontab to run the am-deny-hosts script daily. An example instruction follows.
How am-deny-hosts works
The am-deny-hosts script updates your /etc/hosts.deny file using downloaded block lists that contain IP addresses of known SSH attackers. It also includes the IP address of hosts that attack your own server using a block list generated by the am-list-fails script. You hosts.deny file can up updated periodically by adding a cron job to run the script.
The am-list-fails script captures a list of unique IP address that exceeded a maximum number of authentication attempts with your server. The default maximum number of attempts is set to 10. This should prevent including legitimate users who might have forgotten their password or used an unrecognized public key.
The am-latest-fails script generates the IP addresses of the most recent attackers. It does the same job as the am-list-fails by capturing data the most recent auth.log file.
The am-list-logins script lists the hosts that were recently successful authenticating with your server. You can use this report to do a paranoia check that would help to verify that a successful attack did not occur.
The am-login-ips script generates a uniques list of IP addresses that recently authenticated successfully with your server. Use can add this list to your hosts.allow file but it is not typically necessary.
The am-list-refused script generates a uniques list of IP addresses of hosts that were refused a connection to your server. The report lets you analyse the success rate for blocking SSH attackers. Typically an attacker will cease and desist when they are refused a connection.
We will be happy to help you install the application and respond to issues you may discover with am-deny-hosts scripts. If you discover and issue or have a question please create an issue on this project using the github system.
When you use the am-deny-hosts application to protect your Linux server(s) from SSH attacks we expect you to see the following benefits:
- The software is easy to install and setup making it ideal for users of all knowledge levels.
- The software does NOT over-burden your server or waste CPU cycles. This makes it ideal for low power servers with a minimum amount CPU or RAM resources.
- The software takes advantage of publicly available black lists of known SSH attackers.
- The software uses data from your own servers authentication logs to augment the publicly available black lists.
- The software effectively minimizes the risk that an attacker will compromise your machine.
Support This Project
If you like this solution and/or find it useful, please support our efforts to keep the software up to date. Here are your options
|You have a Paypal Account||Use a Credit Card|
|Crypto Currency||Public Key Address||QR Code|
Copyright 2016 Stephen Fox, All Rights Reserved.
This software is licensed to you under the Apache License, Version 2.0 (the "License"). You may not use this software except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.