How does DenyHosts work?
When run for the first time, DenyHosts will create a work directory. The work directory will ultimately store the data collected and the files are in a human readable format, for each editing, if necessary.
DenyHosts then processes the sshd server log (typically, this is /var/log/secure, /var/log/auth.log, etc) and determines which hosts have unsuccessfully attempted to gain access to the ssh server. Additionally, it notes the user and whether or not that user is root, otherwise valid (eg. has a system account) or invalid (eg. does not have a system account).
When DenyHosts determines that a given host has attempted to login using a non-existent user account a configurable number of attempts (this is known as the DENY_THRESHOLD_INVALID), DenyHosts will add that host to the /etc/hosts.deny file. This will prevent that host from contacting your sshd server again.
The DENY_THRESHOLD_ROOT configuration value specifies the maximum acceptable times that the root user account can fail to login before being blocked. Typically this value is set lower than DENY_THRESHOLD_INVALID such that root level attackers are blocked earlier than other accounts. It is also a good practice to disable root logins within the sshd.conf file in conjunction with this setting. By doing so, no user can login to root@your-server and their host will be blocked from attacking other user accounts when the DENY_THRESHOLD_ROOT is reached.
The DENY_THRESHOLD_VALID configuration value specifies the maximum acceptable times a valid user (ie. a user that exists in /etc/passwd) can fail to login before being blocked. This parameter can be helpful for those with "fat fingers". Typically this value is set higher than DENY_THRESHOLD_INVALID.
Also, DenyHosts will note any successful logins that occurred by a host that has exceeded the deny_threshold. These are known as suspicious logins and should be investigated further by the system admin.
Install Denyhosts :
Install on Ubuntu/Debian/LinuxMint :
sudo apt-get install python python2.6-dev python2.6
and then type install
sudo apt-get install denyhosts
For Fedora/RHEL/CentOS :
yum install python
Then install denyhosts using the command :
yum install denyhosts
Configuration of Denyhosts
For Ubuntu/debian and fedora/RHEL/CentOS (all tests bellow has been down on Ubuntu9.04,LinuxMint7 and Fedora11):
Ubuntu/fedora package will create all of the required links and set the denyhosts script to run as a daemon automatically, this mean that everything has been pre-configured,so most of the settings should be fine. If you want to compile from the source then you have to create all links and permissions manually See above.
you can find the denyconfig file on /ububtu ,debian /fedora/redhat/centos at :
/etc/denhosts.conf
The files hosts.deny and hosts.allow must be there also at /etc/ ,please check if are there.
Now To start denyhost under root (for ubuntu/debian use sudo before the command) :
/etc/init.d/denyhosts start
To stop denyhosts under root (for ubuntu/debian use sudo before the command):
/etc/init.d/denyhosts stop
Denyhosts log to :
/var/log/denyhosts
To purge Hosts :
If there are valid hosts that end up being blocked (i.e. during testing or forgotten password, etc.), you can purge any entries in the /etc/hosts.deny file by running the denyhosts script with the --purge option. The hosts must be older than the value set in PURGE_DENY, so you may want to lower the value temporarily in order to purge the valid host (i.e. to purge entries older than 1 minute, set PURGE_DENY = 1m in the /etc/denyhosts.conf file)
First stop denyhosts :
sudo /etc/init.d/denyhosts stop
Second Purge hosts :
sudo denyhosts --purge
Third start denyhosts :
sudo /etc/init.d/denyhosts start
Now lets make a test, we will try to connect to my ssh server and will make several attempts to login with incorrent password. now we will check the host.deny and see what happen :
zinovsky@zinovskyhowtos:/etc$ tail -f -s3 /etc/hosts.deny
# rpc.mountd (the NFS mount daemon). See portmap(8) and rpc.mountd(8)
# for further information.
#
# The PARANOID wildcard matches any host whose name does not match its
# address.
# You may wish to enable this to ensure any programs that don't
# validate looked up hostnames still leave understandable logs. In past
# versions of Debian this has been the default.
# ALL: PARANOID
sshd:192.168.12.155
This means that the system with the IP address 192.168.12.155 cannot connect anymore using SSH.
Now to watch the auth.log on the terminal type :
tail -f -s3 /var/log/auth.log
Links :
ubuntu-chic (663)
Canon LBP2900 driver for linux (534)
Knoppix (531)
Or instead you could use ssh-faker: http://www.pkts.ca/ssh-faker.shtml and as a result get a secret password based authentication system to allow ssh logins.