Ade in Business

Below is a map showing the locations of people who have tried to break into one of my dedicated servers within the last few weeks. (Click on the image to show a full-size interactive map.)

One of the common ways hackers try to break into systems is to use a dictionary attack to try to log in via SSH (or FTP or Telnet, depending on which services are enabled). The idea is to use scripts to test common usernames (joe, bob, mail, etc.) to see which ones are active, and if any active accounts are found, try to log in with common passwords.

I’ve seen instances where a system’s undergone thousands of these attacks. I’ve also seen cases where someone’s tried an attack on a server within a few hours of it going up, even though there weren’t any DNS records pointing to it yet. The point being that this form of attack is pretty prevalent, as it’s fairly easy for hackers to find and run programs that automate them.

Enter a program available for Linux system administrators called DenyHosts. It detects frequent invalid attempts and adds the originating IP address to /etc/hosts.deny so they can’t attempt any further connections to SSH. I’ve been using this program for a while now, and found it to work really well. If you’re running Fedora it’s as simple as “yum install denyhosts” and uncommenting entries in the cron file.

It’s highly satisfying to see a message like this pop into your inbox, knowing that an attack was thwarted:

Added the following hosts to /etc/hosts.deny:
66.161.142.126

It’s actually kind of fun (in a geeky way) to see where these attacks are coming from. I generated the map above using the free MaxMind GeoIP City Lookup tool and the Google Maps API. The DenyHosts site also has some interesting stats culled from a number of different users.

Of course, the easiest and most effective way to prevent attacks is to deny all IPs from SSH except the ones you trust, but that’s not very practical if users have a dynamic IP.