Stop Bruteforce Attacks on sshd and Get Emailed About Them

So now that I have a server on a static IP address, I decided it was time to lockdown sshd a little. I thought there was a simple option I could change in /etc/ssh/sshd_config to block repeated attempts. A few minutes of googling turned up nothing though. I did stumble upon a nifty application called DenyHosts. It basically watches your log files for repeated and failed attempts to login via ssh, and then after reaching a threshold, adds that IP to the hosts.deny file. Banning the user from any interaction with your server.

The whole things is pretty customizable. For instance, you can even set it up to email you about banned users or suspicious logins! Here’s a quickstart guide for Ubuntu:

We will use postfix, a very slim SMTP server to send mail.
sudo apt-get install deny-hosts
sudo apt-get install postfix

Now some configuration:
sudo vi /etc/denyhosts.conf
# Change the line "ADMIN_EMAIL = root@localhost" to
# ADMIN_EMAIL = your@emailaddres
sudo /etc/init.d/denyhosts restart

And now you’re done! It’s ridiculously easy to get going, it’s tweaking it to your liking that takes time. The default settings are pretty harsh, so you may want to lax them a bit. For instance, it considers 10 bad logins for an existant over the course of 5 days to be a ban-worthy offense and bans are never forgotten. The configuration file, /etc/denyhosts.config, is well documented so it’s a good place to start.

Leave a Comment