Semantici.st

I just realised that my CentOS hosts don’t have Denyhosts running on them. cPanel is supposed to include some sort of anti-brute-force protection, but I don’t think it’s terribly reliable, since after installing Denyhosts on my main cPanel VM, I received the following in my admin email:

Added the following hosts to /etc/hosts.deny:

222.66.76.146 (unknown)
59.60.6.202 (unknown)
85.186.25.39 (unknown)
134.34.33.30 (unknown)
59.106.17.100 (unknown)
217.39.150.194 (pbx.altmore.co.uk)
202.63.105.91 (unknown)
202.65.218.140 (static-ip-140-218-65-202.rev.dyxnet.com)
201.28.114.173 (201-28-114-173.customer.tdatabrasil.net.br)
211.112.95.3 (unknown)
220.225.147.101 (unknown)
218.248.1.163 (unknown)
58.53.194.72 (unknown)
72.233.71.101 (101.71.233.72.static.reverse.ltdomains.com)
121.151.178.9 (unknown)
194.244.37.210 (unknown)
220.225.40.205 (unknown)
83.15.231.245 (eot245.internetdsl.tpnet.pl)
200.91.217.75 (200-91-217-75-host.ifx.net.co)
67.110.178.197 (67.110.178.197.ptr.us.xo.net)
58.211.137.77 (unknown)
62.111.247.77 (host-ip77-247.crowley.pl)
89.106.12.190 (reverse-89-106-12-190.grid.com.tr)
148.245.173.248 (unknown)
82.127.123.140 (LSt-Amand-152-31-44-140.w82-127.abo.wanadoo.fr)
200.253.204.134 (seliga.maracanau.ce.gov.br)
85.125.68.108 (85-125-68-108.work.xdsl-line.inode.at)

This VM has been running for less than a month, too.

Random brute-force attacks on SSH are as common as the spam in your inbox – anything with SSHd running and a public IP address is vulnerable to this, and unless you make a habit of reading your security logs (and who really has time to do that?) you need something like Denyhosts.

Ubuntu Server ships with only a bare minimum of packages, so I can understand why I have to install it myself there – but I’m a bit disappointed that CentOS doesn’t come with anything. It’s not the fault of CentOS, since they just repackage Redhat Enterprise – does RHEL 4 ship with nothing watching over SSH? I’d be really unimpressed if that were the case and I’d bought an RHEL licence.

As an aside, while I know that my CentOS installs are not the same as a standard install-from-the-DVD install, due to the method in which Xen VMs are created, my day job involves installing CentOS 4 systems, and I know that it doesn’t ship with Denyhosts. X11, Gnome, and a ton of junk, but no Denyhosts.

The moral of this story is: no matter how good your passwords are, a brute-force attack will eventually compromise them, your machine – virtual or otherwise – will be pwnd and used to compromise other machines, perform DDoSes for the Russian Mafia, host kiddie porn, or one of a thousand other things that are Seriously Bad News. Unless you’ve disabled password authentication entirely and just use SSH keys, you need Denyhosts (or something like it).