SSH storm – updated

The last couple of days, it seems there’s some kind of ssh botnet trying to spread out. Since I installed DenyHosts some weeks ago, I usually got 5-10 notifications of blocked IP addresses. Last weekend however, I got more than 200 notifications. 

Although I feel rather safe having installed DenyHosts (which I urge you to install on every SSH accessible server), as a lot of hosts out there aren’t protected, I fear a new botnet is in the making.

Clearly, someone thinks I need to get more junk in my mailbox. Let me tell you though, 1400 spam mails a day is enough already…

That’s why I wrote a very rudimentary script that hooks into DenyHosts and queries a whois server for an abuse email and sends it an email when found.

I didn’t notice the difference between the PLUGIN_DENY setting and the mail behaviour of DenyHosts.
By default, DenyHost will send you an email everytime it adds a new host to /etc/hosts.deny, whereas the PLUGIN_DENY script will be invoked every time it adds or readds a host to /etc/hosts.deny. That’s why I now first grep a file with hosts whose hostmaster I already notified of the abuse

The script is ridiculously easy:


# Get parameter

# Check whether we've already seen this host.
if `grep $IP /var/lib/denyhosts/notified_abuse > /dev/null` ;
        echo host already seen
        echo new host, added to logfile
        echo "`date` $IP" >> /var/lib/denyhosts/notified_abuse

# Try to lookup the abuse mailbox
abuse=`whois $IP|grep ^abuse-mailbox:| tail -n 1 |sed -e "s/abuse-mailbox: //"`

# if found an abuse mailbox, send a mail.
if [ "x$abuse" != "x" ];
cat << EOF | mail -a "From: Pieter Barrezeele <>" -s "SSH brute force attack from $IP" $abuse

Dear Sir/Madam,

Today we experienced an SSH brute force attack originating
from $IP, a host under your responsibility. This probably means
the host in question is compromised.
Please take action to stop this host from attacking us again.

Thanks in advance,
Pieter Barrezeele

PS: this is an automated mail, any errors in this mail are caused by parsing errors.

I’d advise you to send the mails to yourself for a few days until you see only new hosts are added. Alternatively, you could copy the contents of /etc/hosts.deny into /var/lib/denyhosts/notified_abuse as well.

3 Responses to “SSH storm – updated”

  1. Bert says:

    Kan ook iets te maken hebben met de recente Debian OpenSSH weakness.

  2. Gama says:

    Thx for this useful script!!

    I don´t want to upgrade to the new version of denyhosts, so your script helps me to get the notification only once.

    Thx a lot!!

Leave a Reply