DenyHosts is a Python script that monitors server’s access logs to prevent brute force attacks. The script automatically blocks SSH attacks by adding entries to /etc/hosts.deny.
Software
Software used in this article:
- Debian Wheezy
- DenyHosts 2.6-10
- Stunnel 4.53
Installation
Install DenyHosts:
# apt-get update && apt-get install denyhosts
At the time I write this, the latest release of DenyHosts v2.6 does not support TLS/SSL for SMTP authentication. However, TLS/SSL support should be added to v2.7.
To login to our email server securely, we are going to use Stunell. As we mentioned earlier, Stunnel is a program designed to work as an SSL encryption wrapper, and can be used to add SSL functionality to DenyHosts.
# apt-get install stunnel4
Stunell Configuration
Create /etc/stunnel/stunnel.conf file with appropriate SSMTP settings:
# cat > /etc/stunnel/stunnel.conf <<EOF [ssmtp] client = yes accept = 25 connect = mail.example.com:465 EOF
Open /etc/default/stunnel4 and change ENABLED field value from “0″ to “1″ to have the tunnels start up automatically on system boot. File then should look something as below:
# cat /etc/default/stunnel4 ENABLED=1 FILES="/etc/stunnel/*.conf" OPTIONS="" PPP_RESTART=0
Restart stunnel daemon:
# /etc/init.d/stunnel4 restart
Check with netstat if stunnel is listening on port 25:
# netstat -nltp | grep :25 tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 24687/stunnel4
DenyHosts Configuration
Whitelist Own IPs
The first thing to do is to whitelist those private/public IPs that we cannot afford to be blocked so we’d not be locked out of our own server. These IPs need to be added to /etc/hosts.allow, for example:
# echo "ALL: 10.32.1.10" >>/etc/hosts.allow
Customise DenyHosts
Next thing to do is to backup the default /etc/denyhosts.conf configuration file:
# cp /etc/denyhosts.conf /etc/denyhosts.conf.backup
Since we are going to provide our SMTP credentials, it’s a wise idea to restrict file access to the root user only:
# chmod 0600 /etc/denyhosts.conf
Now , we can start customising DenyHosts. Below is the content of our configuration file, with handy comments, of course.
# cat /etc/denyhosts.conf ############ THESE SETTINGS ARE REQUIRED ############ # Debian sshd logs SECURE_LOG = /var/log/auth.log # The file which contains restricted host access information HOSTS_DENY = /etc/hosts.deny # Remove HOSTS_DENY entries that are older than 1 day PURGE_DENY = 1d # The service name that should be blocked in HOSTS_DENY BLOCK_SERVICE = sshd # Block each host after 2 failed invalid login attempts # This value applies to invalid (non-existent) user login attempts DENY_THRESHOLD_INVALID = 2 # Block each host after 10 failed valid login attempts # This value applies to valid user logins (except the root user) DENY_THRESHOLD_VALID = 10 # Block each host after 1 failed root login attempt DENY_THRESHOLD_ROOT = 1 # Block each host after 1 failed login attempt # This value applies to usernames that appear in the # WORK_DIR/restricted-usernames file only DENY_THRESHOLD_RESTRICTED = 1 # The full path that DenyHosts will use for writing data to WORK_DIR = /var/lib/denyhosts # Do not report suspicious login attemps from allowed-hosts SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS = NO # Do not do hostname lookups HOSTNAME_LOOKUP = NO # Lock file on Debian LOCK_FILE = /run/denyhosts.pid ############ THESE SETTINGS ARE OPTIONAL ############ # Email to get notifications about restrictd hosts ADMIN_EMAIL = [email protected] # Using Stunnel on localhost SMTP_HOST = localhost SMTP_PORT = 25 # SMTP login credentials SMTP_USERNAME = [email protected] SMTP_PASSWORD = password # Specifies "From:" address in messages sent from DenyHosts SMTP_FROM = DenyHosts <[email protected]> # Specifies the "Subject:" of messages sent by DenyHosts SMTP_SUBJECT = DenyHosts Report # Reset failed valid user login attemps count to 0 after 5 days AGE_RESET_VALID = 5d # Reset failed root login attemps count to 0 after 5 days AGE_RESET_ROOT = 5d # Reset failed restricted login attemps count to 0 after 5 days # This applies to all entries found in the WORK_DIR/restricted-usernames AGE_RESET_RESTRICTED = 5d # Reset failed invalid login attemps count to 0 after 5 days AGE_RESET_INVALID = 5d # Set failed count to 0 if the login is successful RESET_ON_SUCCESS = yes ######### THESE SETTINGS ARE SPECIFIC TO DAEMON MODE ########## # The logfile that DenyHosts uses to report its status DAEMON_LOG = /var/log/denyhosts # The amount of time DenyHosts will sleep between polling the SECURE_LOG DAEMON_SLEEP = 30s # Run purge mechanism to expire old entries in HOSTS_DENY every 1h DAEMON_PURGE = 1h
The last thing to do is to restart the DenyHosts daemon:
# /etc/init.d/denyhosts restart