SSH Security – Pros and Cons of Methods to Block Brute Force Attacks

Securityssh

There are a number of different packages out there to shut out IPs from which brute-force SSH attacks are launched on your system. For example:

What are the pros/cons of these, or any others?

My current solution is to take the email that logwatch generates every day and dump the egregious IP addresses into a text file which I feed into a script that then rebuilds iptables. It's hacky, time-consuming and manual, and I'd like a better way.

(Note that I didn't ask what was the "best" way to solve the problem, because there is no "best" way to do anything.)

Best Answer

I use DenyHosts, so I can at least answer for that:

Pros

  • It's completely automatic
  • It's configurable (how many failed attempts before blacklisting, for usernames that don't exist, usernames that do exist, and a special entry for root)
  • It can e-mail you with a list of newly blacklisted hosts periodically, and/or run a given program every time a new host is blacklisted
  • It supports automatically un-blacklisting hosts after a while

Cons

I don't have any irreparable cons, as long as you use it correctly:

  • In its default configuration it won't alert you to newly blacklisted hosts, so if somebody is attacking your network from hundreds of different addresses you might not notice right away like you would if you're monitoring your logs manually, but (as mentioned in the pros section) it can e-mail you or run an executable to alert you when new hosts are added
  • By default it will blacklist your hosts the same as any other, so you probably want to add them to /etc/hosts.allow. I locked myself out once just failing at typing my password, and once somebody from work tried to login to my root account as a joke and blacklisted my work IP, and it took me a few days to figure out why I suddenly couldn't connect to my network from work anymore
Related Question