Yesterday I noticed my server’s load average was a bit higher than usual. Normally when this happens it mean someone is screen scraping the Fake Name Generator, so I went and started reviewing the logs trying to figure out who it was so I could block them.
Disappointingly, I couldn’t find anybody that was scraping my site, which means I had to dig deeper. The next step was to use top to figure out what processes are stealing all my resources. To my surprise (and exceedingly great alarm) I saw that there were about a dozen sshd processes running. For those that are not Linux server savvy, there should not be about a dozen sshd processes running.
SSH is the protocol that Linux server admins use to connect to their servers. When connecting, an sshd process will run. When a dozen are showing up, that means a dozen people are connected or trying to connect, which is very very disturbing for a server like mine where I’m the only one that should ever be on it.
I quickly turned to the logs and found thousands of failed login attempts. Someone was trying to hack my box. Yikes!
I quickly used iptables to block the most flagrantly offending IP, but I knew that wouldn’t hold back a committed attacker. Enter my hero: DenyHosts!
DenyHosts is a free chunk of code written in Python that periodically scans your log files, determines if someone looks like they are trying to break in, and blocks them. If you are really paranoid then you can even have it talk to other servers to find out who is trying to hack them, so you can preemptively block the bad guys.
Installation and configuration literally took about 3 minutes, and is even easier to setup if you are using Ubuntu or Linux Mint because it is in the repos. As soon as I started it all the bad guys were blocked and my load averages started to drop. I highly recommend it for anyone that administers Linux servers.