zarzax the blog

DenyHosts smart SSH Server Protection

DenyHosts is a Python based security tool for SSH servers.

DenyHosts is a python script that is run on any Linux or BSD based system to help block SSH based attacks. It works to prevent both “dictionary based” and “brute force” attacks. Also provided is a system to synchronize block lists between other users of DenyHosts.

Continue reading for the complete guide…

It works by scanning the SSHD log files (/var/log/auth.log or /var/log/secure) and discovering failed login attempts. Attacks are triggered by number of failed attempts or invalid username login attempts. After it discovers an attack it inserts the IP address into the /etc/hosts.deny file which will block that IP from connecting to your system in the future. Check out the features page for a full set of features.

I started using DenyHosts after I noticed a surprising number of failed login attempts in my sshd logs. After I installed DenyHosts it discovered over 50 IPs that were attempting to gain access to my system and started blocking them. I quickly discovered the synchronization features and have not looked back. Now I maintain a blocklist near 9000 IPs long.

Base System

I am going to describe how to setup a basic server firewall with this base system as the example:

• Ubuntu Server 8.04 LTS (hardy)
• basic apt sources. (hardy main, hardy-updates main, hardy-security main)

Installation

sudo apt-get install denyhosts

Configuration

Modify the configuration file /etc/denyhosts.conf to include these settings.

SECURE_LOG = /var/log/auth.log
HOSTS_DENY = /etc/hosts.deny
PURGE_DENY = 			# When set to blank system will never purge block list.
BLOCK_SERVICE  = sshd		# When set to SSHD the ssh server will be blocked,
				# when set to ALL the IP will be blocked for all services.
DENY_THRESHOLD_INVALID = 5
DENY_THRESHOLD_VALID = 10
DENY_THRESHOLD_ROOT = 5
DENY_THRESHOLD_RESTRICTED = 5
WORK_DIR = /var/lib/denyhosts
SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES
HOSTNAME_LOOKUP=YES		# This will do a hostname lookup.  Set to NO for improved performance.
LOCK_FILE = /var/run/denyhosts.pid

       ############ THESE SETTINGS ARE OPTIONAL ############
ADMIN_EMAIL = 			# Leave Blank or use your email address for reports on blocked IPs.
SMTP_HOST = localhost           # localhost if you are running your own email server or set to an external server
SMTP_PORT = 25
SMTP_FROM = DenyHosts
SMTP_SUBJECT = DenyHosts Report
SMTP_DATE_FORMAT = %a, %d %b %Y %H:%M:%S %z
AGE_RESET_VALID=5d
AGE_RESET_ROOT=25d
AGE_RESET_RESTRICTED=25d
AGE_RESET_INVALID=10d

   ######### THESE SETTINGS ARE SPECIFIC TO DAEMON MODE  ##########
DAEMON_LOG = /var/log/denyhosts
DAEMON_SLEEP = 30s
DAEMON_PURGE = 1h

   #########   THESE SETTINGS ARE SPECIFIC TO     ##########
   #########       DAEMON SYNCHRONIZATION         ##########
SYNC_SERVER = http://xmlrpc.denyhosts.net:9911
SYNC_INTERVAL = 1h
SYNC_UPLOAD = yes
SYNC_DOWNLOAD = yes
SYNC_DOWNLOAD_THRESHOLD = 3

Sync Server setup is optional. If you only want to block attempts on your server comment out the ‘SYNC_SERVER’ line.

Start the Service

sudo /etc/init.d/denyhosts restart

Other Resources

• DenyHosts Homepage
• HowToForge Article on DenyHosts Configuration
• Fail2ban – Similar to DenyHosts except that it scans other logs such as Apache, Postfix, SSHD and creates its ban lists using iptables or netfilter’s deny.hosts file.