There are some basic security steps that you can do to protect SSH, such as block the root user from logging in, and force users to use STRONG authentication.

Even after you’ve done all you can, logwatch will report that people are still wasting your time & resource by trying to break in ! This is where DenyHosts step in, it’s a small script (daemon) that keeps an eye on your SSH log file, if it spots someone trying to Brute Force Attack your SSH accounts, it adds them to hosts.deny (it’s like a firewall for some applications) and stops them from being able to connect.

I’m using redhat, so a pre-built rpm is available, if you already have DAG setup, you can use…

yum install denyhosts

I then had to run through the following steps (as root).

mkdir /usr/share/denyhosts
mkdir /usr/share/denyhosts/data/
echo '127.0.0.1' > /usr/share/denyhosts/data/allowed-hosts
cd /usr/share/denyhosts
cp /usr/share/doc/denyhosts-2.6/denyhosts.cfg-dist ./denyhosts.cfg
cp /usr/share/doc/denyhosts-2.6/daemon-control-dist ./daemon-control
chmod 700 /usr/share/denyhosts/daemon-control
ln -s /usr/share/denyhosts/daemon-control /etc/init.d/denyhosts
ln -s /usr/share/denyhosts/denyhosts.cfg /etc/denyhosts.cfg
/sbin/chkconfig denyhosts on

once you’ve charged through that marathon, in /etc/denyhosts.cfg you may want to take a look (and change) the following settings (Variables)

PURGE_DENY =
ADMIN_EMAIL =
SMTP_FROM = DenyHosts <nobody@localhost>

finally once you’re happy, start the DenyHosts service

/etc/init.d/denyhosts start

Now you’re logwatch report will show how may tries they had, and then Denied !

Refused incoming connections: 1.2.3.4  (some.name.com ): 2 Time(s)

Of course one option commonly suggested is to change the SSH port number from 22 to something else, where as this will reduce the amount of attacks on the service, it does absolutely nothing to protect it; of course you could do both, it’s all a matter of choice

What’s the difference ?

Sadly there’s no hard an fast rule, what’s important is understanding what you’re buying. Traditional IDS systems used sniffers & signatures to detect attacks very similar to how virus’s are found with AV; the problem with this kind of system is that it relies on a signature being available to recognize the attack; there is also a margin of error with sniffer technology, this means it’s possible to flood a network with “safe” traffic, and then slip the attack in under the radar.

Some consider the difference between IDS and IPS is that IPS is proactive, as such it doesn’t require a signature to detect the attack, it just recognizes unacceptable behavior, the problem with this is that any technology that can do this is very difficult and expensive to implement.

Others consider the difference between IDS and IPS is that IPS implements a protective “shim” between the system and the attack; thus if the attack is recognised then it can be blocked.

Suddenly you can see how the two phrases get muddled up, those inventing intelligent systems to detect unknown or Zero Day attacks wanted a way to differentiate their technology from the rest; but IDS vendors were easily able to adopt the “P”, buy making their exiting product work in linethus providing “protection” rather an “detection”.

So I go back to my point, what’s the difference between “D” & “P”, find out if the product you’re buying uses signatures, and you’ll get an idea whether it’s a re-vamped IDS or a Zero Day protection system