Killing Mind

Ever noticed your system log is chock full of this crap?

Jan 31 01:11:43 hostname sandboxd[18371]: sshd(18375) deny mach-per-user-lookup
Jan 31 01:11:46: --- last message repeated 8 times ---
Jan 31 01:11:46 hostname sandboxd[18371]: sshd(18377) deny mach-per-user-lookup
Jan 31 01:11:49: --- last message repeated 8 times ---
Jan 31 01:11:49 hostname sandboxd[18371]: sshd(18379) deny mach-per-user-lookup
Jan 31 01:11:52: --- last message repeated 4 times ---


Check the secure log file and you'll likely find thousands of ssh login attempts from a small number of IP addresses, trying various generic usernames.

Enter DenyHosts. It's a mature, configurable Python script that monitors your log and adds entries to /etc/hosts.deny if things look suspicious.

It's quite portable and there are various instructions for older versions of Mac OS X, but there's a couple of gotchas for Snow Leopard, Mac OS X 10.6, that don't appear to be addressed in one location anywhere else. Here's how to get DenyHosts up and running on OS X 10.6:

1. Download the tar.gz file from the download page.
2. Unless you're a command line purist who doesn't need to look up the tar man page every time you use, just double click the downloaded file to unpack it.
3. Now drop into Terminal and cd to the freshly unpacked DenyHosts directory.
4. Run the installer: sudo python setup.py install
5. Optionally, move the installed files into local: sudo mv /usr/share/denyhosts /usr/local/share/
6. Change to the install directory: cd /usr/local/share/denyhosts
7. Copy the example config file: sudo cp denyhosts.cfg-dist denyhosts.cfg
8. Edit it: sudo vi denyhosts.cfg
9. Find and set these settings:
   • SECURE_LOG = /private/var/log/secure.log
   • WORK_DIR = /usr/local/share/denyhosts/data
   • LOCK_FILE = /var/run/denyhosts.pid
   • DAEMON_LOG = /private/var/log/denyhosts
10. Optionally set this to allow entries older than 10 weeks to be removed: PURGE_DENY = 10w
11. Copy the example run script: sudo cp daemon-control-dist daemon-control
12. Edit it: sudo vi daemon-control
13. Find and set these settings:
    • DENYHOSTS_BIN = "/Library/Frameworks/Python.framework/Versions/2.4/bin/denyhosts.py"
    • DENYHOSTS_LOCK = "/var/run/denyhosts.pid"
    • DENYHOSTS_CFG = "/usr/local/share/denyhosts/denyhosts.cfg"
    • PYTHON_BIN = "/usr/bin/env python2.4"
14. Create the hosts.deny file in case it's not there: sudo touch /etc/hosts.deny
15. And finally, kick off the daemon: sudo ./daemon-control start

You can monitor progress via the log at /var/log/denyhosts. You could also create a launchd service to ensure the daemon runs at boot up, but if you reboot as rarely as me, you might save yourself 10 minutes and skip it.