It seems that every few days something goes wrong with the server. Just this morning it died for some unknown reason and I had to get it rebooted. It was still pinging and services such as pop3/ssh/http would connect but then no banners/prompts etc would appear and the service is unresponsive.
Having looked through a number of logfiles, I noticed that just before the crash, there were a lot of failed SSH login attempts from a few different IPs and having seen this before, figured it was about time I did something about them.
Having had a quick google for ssh monitoring systems because I don’t fancy writing my own (because it’s not as interesting as other things, not because I can’t), I came across DenyHosts which seemed to fit the requirements. Downloaded the RPM (yeah ok, I’m lazy) and within 30m it was installed, configured and working.
Couple of points to make about it:
1. When you install it using the method shown in the FAQ that modifies /etc/hosts.evil instead of directly messing with /etc/hosts.deny, it helps to put the line:
sshd:ALL
into /etc/hosts.deny as well as
sshd:ALL EXCEPT /etc/hosts.evil
into /etc/hosts.allow as otherwise it seems to continue to allow access to blocked IPs. Maybe this shouldn’t be required, maybe I’ve just screwed it up, but it seems to work like this whereas it didn’t block anyone before.
2. chkconfig doesn’t recognise the daemon-control script but it’s easy enough to add a few lines to the top and rename it to /etc/init.d/denyhosts
The lines you have to add are as follows:
# denyhosts Bring up/down the denyhosts daemon
#
# chkconfig: 2345 98 02
# description: Activates/Deactivates the denyhosts daemon to block ssh
#
You can then run ‘chkconfig –add denyhosts’ to enable it at boot time. Overall, I’d have to say that this was one of the more useful programs I’ve installed and definitely one to install on any servers that I build in the future.