HOWTO Protect SSHD with DenyHosts

From Gentoo Linux Wiki

Jump to: navigation, search
This article is part of the Security series.


Contents

[edit] Introduction

DenyHosts is a Python script analyzing the OpenSSH server log determining if hosts are attempting to break into your system.  DenyHosts also determines which user accounts are being targeted and keeps track of the frequency of attempts from each host.

Upon discovery of repeated attacks, the /etc/hosts.deny file is updated with the relevant host information preventing future break-in attempts from the host. See the features

[edit] Installation

First emerge DenyHosts: 

emerge denyhosts


Ensure OpenSSH was merged with the tcpd USE flag enabled: 

emerge -pv net-misc/openssh
net-misc/openssh +tcpd


If needed, re-emerge OpenSSH with tcpd support: 

echo 'net-misc/openssh tcpd' >> /etc/portage/package.use
emerge net-misc/openssh

[edit] Configuration

Most of this configuration was already done for you with recent ebuild releases.  At this point, most users can safely go to Starting DenyHosts section.

File: /etc/denyhosts.conf

Ensure the SECURE_LOG variable is set to the location where OpenSSH (sshd process) logs its messages.  Customized loggers might put OpenSSH logging elsewhere. 

SECURE_LOG = /var/log/messages

This is now also the default for DAEMON_LOG, and allows you to set the date format for logging. 

DAEMON_LOG = /var/log/denyhosts
DAEMON_LOG_TIME_FORMAT = %b %d %H:%M:%S

Synchronization Mode is a new feature as of version 2.0.  This mode allows DenyHosts to sync with a central host with known predators.  Simply uncommenting the SYNC_SERVER variable enables Synchronization Mode. Once enabled, publishing your found predators to the central server is also enabled by default. 

SYNC_SERVER = http://xmlrpc.denyhosts.net:9911

[edit] Starting DenyHosts

Code: Add to runlevel 
rc-update add denyhosts default


Now, start DenyHosts.  (This may take a while as it parses the log file.) 

/etc/init.d/denyhosts start


Now you're done!

[edit] Alternative Configuration

To avoid running Denyhosts all the time as a daemon, you can instruct Denyhosts to execute only when a ssh user connects.  This introduces a negligible delay for the user, but will save resources since Denyhosts only needs to be run initially as a user connects.

File: /etc/denyhosts.conf 
HOSTS_DENY = /etc/hosts.blocked


Now edit /etc/hosts.deny to run denyhosts. Note that we are running denyhosts without the --daemon option.

File: /etc/hosts.deny 
ALL:/etc/hosts.blocked
sshd:ALL:spawn python /usr/bin/denyhosts.py -c /etc/denyhosts.conf: allow


At this point it would be advisable to run

Code: Run Denyhosts 1st time 
python /usr/bin/denyhosts.py -c /etc/denyhosts.conf


This may take quite some time, subsequent times (when ssh users log on) will be much faster.

To use hosts.allow and hosts.deny you also need tcp-wrappers.

Retrieved from "http://www.gentoo-wiki.com/HOWTO_Protect_SSHD_with_DenyHosts"
Personal tools