SSH/DenyHosts
From Gentoo Linux Wiki
[edit] Introduction
DenyHosts is a Python script analyzing the OpenSSH server log determining if hosts are attempting to break into your system. DenyHosts also determines which user accounts are being targeted and keeps track of the frequency of attempts from each host.
Upon discovery of repeated attacks, the /etc/hosts.deny file is updated with the relevant host information preventing future break-in attempts from the host. See the features
A better alternative to DenyHosts is sshdfilter as it executes sshd itself, and so blocks can be initiated instantly (the program is constantly monitoring your sshd log). It also logs all attempts and a supplied Logwatch script can give you periodical summaries.
[edit] Installation
Before Installing you need to be sure you have a running system logger such as syslog-ng. If you do not be sure to install one by doing: emerge -av syslog-ng. And then starting it with /etc/init.d/syslog-ng start and adding it to be booted up by default with rc-update add syslog-ng default.
First emerge DenyHosts by running emerge -av denyhosts.
Ensure OpenSSH was merged with the tcpd USE flag enabled:
emerge -pv net-misc/openssh net-misc/openssh +tcpd
If needed, re-emerge OpenSSH with tcpd support:
echo 'net-misc/openssh tcpd' >> /etc/portage/package.use emerge -av net-misc/openssh
[edit] Configuration
Most of this configuration was already done for you with recent ebuild releases. At this point, most users can safely go to Starting DenyHosts section.
| File: /etc/denyhosts.conf |
|
Ensure the SECURE_LOG variable is set to the location where OpenSSH (sshd process) logs its messages. Customized loggers might put OpenSSH logging elsewhere. SECURE_LOG = /var/log/messages This is now also the default for DAEMON_LOG, and allows you to set the date format for logging. DAEMON_LOG = /var/log/denyhosts DAEMON_LOG_TIME_FORMAT = %b %d %H:%M:%S Synchronization Mode is a new feature as of version 2.0. This mode allows DenyHosts to sync with a central host with known predators. Simply uncommenting the SYNC_SERVER variable enables Synchronization Mode. Once enabled, publishing your found predators to the central server is also enabled by default. SYNC_SERVER = http://xmlrpc.denyhosts.net:9911 |
[edit] Starting DenyHosts
You can configure DenyHosts to run as a daemon by running:
| Code: Add to runlevel |
rc-update add denyhosts default |
or as a cronjob, by adding the following to your crontab. Edit the crontab using crontab -e.
| Code: crontab |
# run DenyHosts every 10 minutes */10 * * * * root python /usr/bin/denyhosts -c /etc/denyhosts.conf |
Now, start DenyHosts. This may take a while as it parses the log file.
| Code: |
/etc/init.d/denyhosts start |
If a client now needs more login attempts than allowed, its IP will be added to the /etc/hosts.deny so that the next time it tries to connect, the server refuses the connection.
[edit] Alternative Configuration
To avoid running Denyhosts all the time as a daemon, you can instruct Denyhosts to execute only when a ssh user connects. This introduces a negligible delay for the user, but will save resources since Denyhosts only needs to be run initially as a user connects.
| File: /etc/denyhosts.conf |
HOSTS_DENY = /etc/hosts.blocked |
Now edit /etc/hosts.deny to run denyhosts. Note that we are running denyhosts without the --daemon option.
| File: /etc/hosts.deny |
ALL:/etc/hosts.blocked sshd:ALL:spawn python /usr/bin/denyhosts.py -c /etc/denyhosts.conf: allow |
At this point it would be advisable to run python /usr/bin/denyhosts.py -c /etc/denyhosts.conf. This may take quite some time, subsequent times (when SSH users log on) will be much faster. To use hosts.allow and hosts.deny you also need TCP-wrappers.
