I just realised that my CentOS hosts don’t have Denyhosts running on them. cPanel is supposed to include some sort of anti-brute-force protection, but I don’t think it’s terribly reliable, since after installing Denyhosts on my main cPanel VM, I received the following in my admin email:
Added the following hosts to /etc/hosts.deny:
This VM has been running for less than a month, too.
Random brute-force attacks on SSH are as common as the spam in your inbox – anything with SSHd running and a public IP address is vulnerable to this, and unless you make a habit of reading your security logs (and who really has time to do that?) you need something like Denyhosts.
Ubuntu Server ships with only a bare minimum of packages, so I can understand why I have to install it myself there – but I’m a bit disappointed that CentOS doesn’t come with anything. It’s not the fault of CentOS, since they just repackage Redhat Enterprise – does RHEL 4 ship with nothing watching over SSH? I’d be really unimpressed if that were the case and I’d bought an RHEL licence.
As an aside, while I know that my CentOS installs are not the same as a standard install-from-the-DVD install, due to the method in which Xen VMs are created, my day job involves installing CentOS 4 systems, and I know that it doesn’t ship with Denyhosts. X11, Gnome, and a ton of junk, but no Denyhosts.
The moral of this story is: no matter how good your passwords are, a brute-force attack will eventually compromise them, your machine – virtual or otherwise – will be pwnd and used to compromise other machines, perform DDoSes for the Russian Mafia, host kiddie porn, or one of a thousand other things that are Seriously Bad News. Unless you’ve disabled password authentication entirely and just use SSH keys, you need Denyhosts (or something like it).