Deny Hosts and SSH Login Attempt Behavior

A few weeks ago I installed DenyHosts, a small deamon (can also be run as a cron job) that runs on my server to block IP’s that make brute force SSH login attempts.  The script has worked great, blocking over 500 hosts on the first day I used it (including myself a few times…).  One of the features of the script is the ability to send an email each time it blocks a host.  Although getting a few hundred emails at first was very annoying, setting up a few rules in gmail prevented me seeing them in my inbox (they go directly to a folder).  I did, however, start to look at the times when the various hosts get denyed.  They seem to come in large groups, so that there will be 50 or so hosts blocked in a rather short length of time, around 10 minutes or less.  The IP’s of the computers also come from all over the world, but most seem to come from Asia, South America, and Russia.  I think it would be interesting to do a more complete statistical analysis of the data in regards to the time and location of where the login attempts are coming from.  Maybe I’ll write something to do this later.

1 comment

  1. I think a mashup with Google Maps (or maybe some tricanery with Analytics) would be a great way to visualize the data.

    Botnets are horrible things.

    The real question is: do you use that crappy a password you’re concerned about someone brute-forcing it?

Comments are closed.