HowTos – Linux Security – HowTo Block SSH Server Attacks Using “DenyHosts”.

Posted on by Ron Jagannathan

DenyHosts is an open source log-based intrusion prevention security program for SSH servers developed in Python.

It is intended to monitor and analyzes SSH server logs for invalid login attempts, dictionary based attacks and brute force attacks by blocking the originating IP addresses by adding an entry to /etc/hosts.deny file on the server and prevents the IP address from making any further such login attempts.

DenyHosts works wonders for Linux systems, particularly when allowing password based ssh logins. In this blog we will show you how to install and configure DenyHosts on RHEL 7x, 6.x/5.xCentOS 7.x/6.x/5.x and Fedora 17,16,15,14,13,12 systems using epel repository.

Installing DenyHosts on RHEL, CentOS and Fedora

After installing Denyhosts, make sure to whitelist your own IP address, or you will get locked out. To do this, open a file /etc/hosts.allow.

# vi /etc/hosts.allow

Below the description, add the each IP address one-by-one on a separate line, that you never want to block. The format should be as follows.

#
# hosts.allow   This file contains access rules which are used to
#               allow or deny connections to network services that
#               either use the tcp_wrappers library or that have been
#               started through a tcp_wrappers-enabled xinetd.
#
#               See 'man 5 hosts_options' and 'man 5 hosts_access'
#               for information on rule syntax.
#               See 'man tcpd' for information on tcp_wrappers
#
sshd: 108.31.239.101
sshd: 108.31.239.102
sshd: 108.31.239.103

Configuring DenyHosts for Email Alerts

The main configuration file is located under /etc/denyhosts.conf. This file is used to send email alerts about suspicious logins and restricted hosts. Open this file using VI editor.

# vi /etc/denyhosts.conf

Search for the ‘ADMIN_EMAIL‘ and add your email address here to receive email alerts about suspicious logins (for multiple email alerts use comma separated). Please have a look at the configuration file of my CentOS 6.3server. Each variable is well documented so configure it according to your liking.

############ DENYHOSTS REQUIRED SETTINGS ############
SECURE_LOG = /var/log/secure
HOSTS_DENY = /etc/hosts.deny
BLOCK_SERVICE  = sshd
DENY_THRESHOLD_INVALID = 5
DENY_THRESHOLD_VALID = 10
DENY_THRESHOLD_ROOT = 1
DENY_THRESHOLD_RESTRICTED = 1
WORK_DIR = /var/lib/denyhosts
SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES
HOSTNAME_LOOKUP=YES
LOCK_FILE = /var/lock/subsys/denyhosts

############ DENYHOSTS OPTIONAL SETTINGS ############
ADMIN_EMAIL = ronjag@redhatbible.com
SMTP_HOST = localhost
SMTP_PORT = 25
SMTP_FROM = DenyHosts <ronjag@redhatbible.com>
SMTP_SUBJECT = DenyHosts Daily Report

############ DENYHOSTS OPTIONAL SETTINGS ############
DAEMON_LOG = /var/log/denyhosts
DAEMON_SLEEP = 30s
DAEMON_PURGE = 1h

Restarting DenyHosts Service

Once you’ve done with your configuration, restart the denyhosts service for new changes. We also add the denyhosts service to system start-up.

# chkconfig denyhosts on
# service denyhosts start

Watch DenyHosts Logs

To watch denyhosts ssh logs for how many attackers and hackers are attempted to gain access to your server. Use the following command to view the real-time logs.

# tail -f /var/log/secure
Dec 11 15:01:43 redhatbible sshd[25474]: Accepted password for root from 108.31.239.101 port 443 ssh2
Nov 28 15:01:43 redhatbible sshd[25474]: pam_unix(sshd:session): session opened for user root by (uid=0)
Nov 28 16:44:09 redhatbible sshd[25474]: pam_unix(sshd:session): session closed for user root
Nov 29 11:08:56 redhatbible sshd[31669]: Accepted password for root from 108.31.239.101 port 2957 ssh2
Nov 29 11:08:56 redhatbible sshd[31669]: pam_unix(sshd:session): session opened for user root by (uid=0)
Nov 29 11:12:00 redhatbible atd[3417]: pam_unix(atd:session): session opened for user root by (uid=0)
Nov 29 11:12:00 redhatbible atd[3417]: pam_unix(atd:session): session closed for user root
Nov 29 11:26:42 redhatbible sshd[31669]: pam_unix(sshd:session): session closed for user root
Nov 29 12:54:17 redhatbible sshd[7480]: Accepted password for root from 108.31.239.101 port 1787 ssh2

Remove Banned IP Address from DenyHosts

If you’ve ever blocked accidentally and want to remove that banned IP address from the denyhosts. You need to stop the service.

# /etc/init.d/denyhosts stop

To remove or delete banned IP address completely. You need to edit the following files and remove the IP address.

# vi /etc/hosts.deny
# vi /var/lib/denyhosts/hosts
# vi /var/lib/denyhosts/hosts-restricted
# vi /var/lib/denyhosts/hosts-root
# vi /var/lib/denyhosts/hosts-valid
# vi /var/lib/denyhosts/users-hosts

After removing the banned IP Address, restart the service again.

# /etc/init.d/denyhosts start

The offending IP address added to all the files under /var/lib/denyhosts directory, so it’s makes very difficult to determine the which files contain the offending IP address. One of the best way to find out the IP address using grep command. For example to find out IP address 108.31.239.133, do.

cd /var/lib/denyhosts
grep 108.31.239.133 *

Whitelist IP Addresses Permanently in DenyHosts

If you’ve list of static IP address that you want to whitelist permanently. Open the file /var/lib/denyhosts/allowed-hosts file. Whatever IP address included in this file will not be banned by default (consider this as a whilelist).

# vi /var/lib/denyhosts/allowed-hosts

And add the each IP address on separate line. Save and close the file.

# We mustn't block localhost
127.0.0.1
108.31.239.101
108.31.239.102
108.31.239.103

  19 people found this article useful

Ron Jagannathan has written 54 articles

Ronan is a Caffeine dependent life-form from Planet Earth who wants to be a Jedi Knight of cloud computing. A man of mystery and power, whose power is exceeded only by his mystery. Quantum Physicist, TransHumanist, Systems Architect, Unix Administrator, Artificial Intelligence, Machine Learning and DIY Gadget enthusiast. Believes that the Universe has a high probability of being a simulation.
But he's real and hopefully some of his readers are too.
email: Ron.Jagannathan@gmail.com ph: 202 355 5205
https://www.linkedin.com/in/ronjagan/
My Famous Quotes:
“In a Unix Universe, God is known by a four letter word called root. To err is human...to really foul requires you to be root.. err.. god.” ― Ron Jagannathan

Github: github.com/ronjag
Linkedin: linkedin.com/in/ronjagan/

“Quotes found on the Internet are not always accurate.” ― Abraham Lincoln

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>