Prevent brute force attacks on SSH servers with DenyHosts
DenyHosts is a Python script that analyzes the sshd server log messages to determine what hosts are attempting to hack into your system. It also determines what user accounts are being targeted. It keeps track of the frequency of attempts from each host.DenyHosts is designed for the use by Linux system administrators, the script can be useful to anybody running an sshd server. Now how does Denyhosts work?
How does DenyHosts work?
When run for the first time, DenyHosts will create a work directory. The work directory will ultimately store the data collected and the files are in a human readable format, for each editing, if necessary.
DenyHosts then processes the sshd server log (typically, this is /var/log/secure, /var/log/auth.log, etc) and determines which hosts have unsuccessfully attempted to gain access to the ssh server. Additionally, it notes the user and whether or not that user is root, otherwise valid (eg. has a system account) or invalid (eg. does not have a system account).
When DenyHosts determines that a given host has attempted to login using a non-existent user account a configurable number of attempts (this is known as the DENY_THRESHOLD_INVALID), DenyHosts will add that host to the /etc/hosts.deny file. This will prevent that host from contacting your sshd server again.
The DENY_THRESHOLD_ROOT configuration value specifies the maximum acceptable times that the root user account can fail to login before being blocked. Typically this value is set lower than DENY_THRESHOLD_INVALID such that root level attackers are blocked earlier than other accounts. It is also a good practice to disable root logins within the sshd.conf file in conjunction with this setting. By doing so, no user can login to root@your-server and their host will be blocked from attacking other user accounts when the DENY_THRESHOLD_ROOT is reached.
The DENY_THRESHOLD_VALID configuration value specifies the maximum acceptable times a valid user (ie. a user that exists in /etc/passwd) can fail to login before being blocked. This parameter can be helpful for those with “fat fingers”. Typically this value is set higher than DENY_THRESHOLD_INVALID.
Also, DenyHosts will note any successful logins that occurred by a host that has exceeded the deny_threshold. These are known as suspicious logins and should be investigated further by the system admin.
Install Denyhosts :
Install on Ubuntu/Debian/LinuxMint :
sudo apt-get install python python2.6-dev python2.6
and then type install
sudo apt-get install denyhosts
For Fedora/RHEL/CentOS :
yum install python
Then install denyhosts using the command :
yum install denyhosts
Configuration of Denyhosts
For Ubuntu/debian and fedora/RHEL/CentOS (all tests bellow has been down on Ubuntu9.04,LinuxMint7 and Fedora11):
Ubuntu/fedora package will create all of the required links and set the denyhosts script to run as a daemon automatically, this mean that everything has been pre-configured,so most of the settings should be fine. If you want to compile from the source then you have to create all links and permissions manually See above.
you can find the denyconfig file on /ububtu ,debian /fedora/redhat/centos at :
The files hosts.deny and hosts.allow must be there also at /etc/ ,please check if are there.
Now To start denyhost under root (for ubuntu/debian use sudo before the command) :
To stop denyhosts under root (for ubuntu/debian use sudo before the command):
Denyhosts log to :
To purge Hosts :
If there are valid hosts that end up being blocked (i.e. during testing or forgotten password, etc.), you can purge any entries in the /etc/hosts.deny file by running the denyhosts script with the –purge option. The hosts must be older than the value set in PURGE_DENY, so you may want to lower the value temporarily in order to purge the valid host (i.e. to purge entries older than 1 minute, set PURGE_DENY = 1m in the /etc/denyhosts.conf file)
First stop denyhosts :
sudo /etc/init.d/denyhosts stop
Second Purge hosts :
sudo denyhosts --purge
Third start denyhosts :
sudo /etc/init.d/denyhosts start
Now lets make a test, we will try to connect to my ssh server and will make several attempts to login with incorrent password. now we will check the host.deny and see what happen :
zinovsky@zinovskyhowtos:/etc$ tail -f -s3 /etc/hosts.deny
# rpc.mountd (the NFS mount daemon). See portmap(8) and rpc.mountd(8)
# for further information.
# The PARANOID wildcard matches any host whose name does not match its
# You may wish to enable this to ensure any programs that don't
# validate looked up hostnames still leave understandable logs. In past
# versions of Debian this has been the default.
# ALL: PARANOID
This means that the system with the IP address 192.168.12.155 cannot connect anymore using SSH.
Now to watch the auth.log on the terminal type :
tail -f -s3 /var/log/auth.log