CentOS List wrote:
Hi,
My denyhosts stop working. How do i check why isnt it working anymore for me?
Thanks
[snipped log entries]
at the risk alarming you at this point I strongly recommend you run chkrootkit on your system. If your system has been compromised then that in and of itself warrants a system reload.
after that, if it appears that you haven't been compromised I would suggest checking the processes controlling that part of the system; not sure off the top of my head which systems those are - sorry about that. I recently had an experience where my web server was cracked via the ssh service. I was running it on port 22, however I did have it locked down to a degree meaning I was only accepting connections from specific IP's or subnets (local), but they still managed to get in. After reloading the machine, an entire weekend's worth of work because the box is specifically configured as web and email server it was only two days and they'd dropped in another root kit. fortunately I caught it before they were able to compromise any of the critical systems and I was able to lock things up real good and clean up the mess.
What I did next has taught me plenty and also contributed to kicking my own ass for not taking these steps in the past:
1. changed the port that sshd listens on to a non-standard port. in my case I changed it to something completely random that isn't really used for anything else. (check the /etc/services file for ports that aren't already assigned)
2. the second thing I did was Google locking down the ssh service. The following web address outlines the steps necessary that I used successfully to accomplish this. All it amounts to is disabling root logins to ssh service and the use of passwords to authenticate to an sshd service. I'm not using keys to authenticate and very lengthy pass-phrases from both windows and Linux clients.
a. http://thinkhole.org/wp/2006/10/30/five-steps-to-a-more-secure-ssh
3. while reading through the above howto I saw what looked like just the ticket for monitoring ssh attacks on my servers. As I read it made more and more sense, so I went there and read some more. After I was done reading I grabbed the package and install and configured it. It's not hard, but it is a little tedious, but works wonderfully.
b. http://www.howtoforge.com/preventing_ssh_dictionary_attacks_with_denyhosts
Since taking care of these things I've had no more trouble and since installing DenyHosts I haven't had to spend anywhere the amount of time making adjustments to my firewall either.
Deny Hosts Information: ---------------------------------- http://denyhosts.sourceforge.net/