I think I have written before about DenyHosts, but this evening, it prevented somewhere around twenty thousand individual hosts trying to login to one of my servers. The hackers have gotten smarter - that they used to just try from one host, which was trivially blockable, even manually. But, thanks to denyhosts (and the fairly easily trackable behavior by the hackers), they think they get a couple chances to guess a password before being blocked. Note, that I say "think", because they actually don't get any, due to the way they are doing it.

But now, they are trying to be trickier, by only trying five times, and then using a global network, switching to a different machine in a different country, and trying five times from that computer.

Fortunately, DenyHosts has a blacklist that I can contribute to, and my system sends all of the IP addresses that attempt to login into mine, and so as long as someone is using denyhosts, they'll benefit from my logging, and perhaps the hacker won't even get a single chance to login to someone else's server, since they'll already be blacklisted.

I am not sure what the hackers think they are going to achieve on my servers - seems like it would be better to spend time elsewhere. They have figured out I use denyhosts, or a similar application, so seems like they should go to an easier target.

Perhaps their goal is some sort of denial of service, but I don't think that is particularly possible in this case, or at least, not in the way they are going about doing it. I don't know if the hosts.deny file has a practical limit to the number of entries - I don't notice any lag time when logging in, ie. the parsing of the file doesn't seem to take that long.

Maybe the goal is to get so many IP addresses in the database that people can't use it, and maybe if the case of dynamic IP addressing, one of my customers could end up with a blacklisted IP. So far, so good though, so we'll see how it goes.

Posted by Jon Daley on July 8, 2008, 11:40 pm | Read 56588 times
Category Programming: [first] [previous] [next] [newest] Reviews: [first] [previous] [next] [newest]
Comments
«Previous   1 2

Ah, well that makes a difference - if you never allow shell access. Most of my users don't need shell access, but some require it.
And a good number of my customers are folks that were on cheapo hosting and either got kicked off for trying to use their "unlimited" service, or grew tired of never getting an answer from the customer support.

Posted by jondaley on July 15, 2008, 12:00 pm

I've always felt that DOSing yourself by not running a useful service is bad. But I should probably remove the plank from my own eye, eh?

Posted by Mike on July 27, 2008, 11:51 pm

Since I've experience the same issue you have, I wonder if you might consider running a honeypot and reporting what they're trying to do here on your blog. My guess is that they're script kiddies looking for bots.

Posted by Mike on July 27, 2008, 11:55 pm

I had a test account once that I forgot to delete, and they got in, and sent lots of emails before I found them. Got me on a spammer blacklist for an hour or two, that was a annoying.

Posted by jondaley on July 28, 2008, 5:04 am
«Previous   1 2
Add Comment
Add comment
E-mail me when comments occur on this article

culpable-adaptable