Comments on: DenyHosts on FreeBSD 6.2

By: Scott Spare

Scott Spare — Sun, 15 Mar 2009 20:38:30 +0000

Great article. One note that might be of interest: in addition to your suggestions, the denyhosts faq mentions blanking out the BLOCK_SERVICE value when using auxiliary files.
http://denyhosts.sourceforge.net/faq.html#aux

Can anyone comment on why this might be?

Also, any comments on how to block ALL access from the offending hosts? This seems doable, but the tutorials and documentation seem to suggest the approach of just blocking ssh. Maybe this is to prevent a DoS to all your services at once if someone’s injecting code?

By: DenyHosts on FreeBSD 6.2 | FreeBSD - the unknown Giant

DenyHosts on FreeBSD 6.2 | FreeBSD - the unknown Giant — Thu, 26 Jun 2008 21:02:46 +0000

[...] Learn how to set it up here « FreeBSD: the best server OS Google Docs updates » [...]

By: Aaron

Aaron — Mon, 28 Apr 2008 20:40:38 +0000

Great post and thanks!

I wish I could point it at HTTP logs for brute force attacks against my .htaccess
There are an awful lot of people trying to access my phpmyadmin alias.

By: thc2cat

thc2cat — Wed, 24 Oct 2007 09:38:15 +0000

surprisingly, nobody knows pam_af ?

Port: pam_af-1.0.1
Path: /usr/ports/security/pam_af
Info: Anti-bruteforce PAM module
WWW: http://mbsd.msk.ru/stas/pam_af.html

Light, any pam service (ssh/ftp/…) can be anti-bruteforced !

http://uvblues.blogspot.com/ for a quick/dirty setup

By: Rada

Rada — Tue, 23 Oct 2007 17:09:40 +0000

@bichumo
1. Because I often connect from my mobile phone using MidpSSH
2. Because I often connect from machines which are not my own
3. Because you might be sharing the ssh access with other people
=)

By: bichumo

bichumo — Tue, 23 Oct 2007 11:49:33 +0000

Why to use such a programs, when you can use pf to block everything and allow just a few IP’s from which you can connect to port 22.

By: nixy » Using daemontools (supervise) on FreeBSD

nixy » Using daemontools (supervise) on FreeBSD — Mon, 22 Oct 2007 21:20:40 +0000

[...] extra security, and you might too. Just right off the bat I can mention things like httpd, sshd, denyhosts, and syslog-ng. While the theoretical risk of these applications crashing randomly and still being [...]

By: Tom Uffner

Tom Uffner — Wed, 17 Oct 2007 22:25:00 +0000

Another good program of this type is bruteforceblocker (available in the ports as security/bruteforceblocker or from http://danger.rulez.sk/projects/bruteforceblocker/)

It is written in perl, easy to install, and like DenyHosts it gives you the benefit of synchronizing with a master table generated by all the other people running it.

Unlike DenyHosts, it uses a firewall table instead of tcpwrappers, so if you have a BSD or linux firewall protecting your network, one instance of BruteForceBlocker can stop ssh attacks on your entire network just as easily as it can protect a single host.

It was designed for OpenBSD pf, but can be trivially adapted to ipfilter, ipfw (or iptables for the linux types).

By: Sergej Kandyla

Sergej Kandyla — Wed, 17 Oct 2007 08:05:29 +0000

Look for the bruteblock. Wonderful programm!

/usr/ports/security/bruteblock
pkg-descr:

Bruteblock allows system administrators to block various bruteforce
attacks on UNIX services. The program analyzes system logs and adds
attacker’s IP address into ipfw2 table effectively blocking them.
Addresses are automatically removed from the table after specified
amount of time. Bruteblock uses regular expressions to parse logs,
which provides flexibility allowing it to be used with almost any
network service. Bruteblock is written in pure C, doesn’t use any
external programs and work with ipfw2 tables via raw sockets API.

By: Melon

Melon — Tue, 16 Oct 2007 23:39:11 +0000

I use SSHIT and yeah doesn’t have the distrubuted list aspect, but otherwise just works… Oh and it’s written in perl… always a plus.