hosts.allow, hosts.deny

End SSH Brute Force Attacks

If you've done the first step, passwordless authentication, your ssh server is now set up to authenticate users with only keys, no passwords. Great! The only problem is, you still have those bots banging on the ssh port like no other. Personally, I get bothered reading through my log files and having to skip a few hundred lines of

 Failed password for invalid user bob
all the time.

The easiest way to solve this problem is using hosts.allow and hosts.deny. For such an easy solution, of course, we will need some easy assumptions: you want to log in from one IP address or group of addresses only, and you will know before hand what those are. Meaning, you don't have a life, you can easily predict where you'll be. That sounds like my life, so that works for me.

The idea behind the hosts file is simple: if a rule is matched in hosts.allow, the client is granted access; if not, hosts.deny is checked, if a rule matches, the client is denied access; if its not there, the client is granted access, no questions asked.

Again, simplicity is the key here. Start with hosts.allow. Edit it in your favorite editor (ed, for example, never goes out of style). Whatever else is in there, allow yourself access:

sshd: 192.168.
What's this? An incomplete address? Sure thing. This allows ALL IPs that start with 192.168. to use ssh.

Now, deny access to everyone else. Edit hosts.deny, and add the following:

sshd: ALL
NOW you're behaving like the hermit you ought to be. No one should be knocking on that door, anyhow.

These changes take effect immediately. You'll find this out as soon as Bill from HR calls and says he can't get in two seconds after you save hosts.deny. Better add the office's subnet, too. The beauty of hosts.allow is that you can add as many lines as you'd like. I've had one that looks this good:

sshd: 10.1.1.
sshd: 10.1.2.
sshd: 10.4.1.
sshd: 192.168.

Simple is the key with this. First, hosts.allow is processed. If there's not a service/client match, we proceed to hosts.deny, which says EVERYONE is denied access to sshd. Finally, all of those bots outside your network of trust are eliminated. And all of the bots within your network have users. And those users are within LART distance. How sweet it is!




Coming soon... roam where you want, kick out brute forcers with some iptables kludges.