DenyHosts is
an open source and free log-based intrusion prevention security program forSSH servers
developed in Python language
by Phil Schwartz.
It is intended to monitor and analyzes SSH server logs for invalid login attempts, dictionary based attacks and brute force attacks by blocking the originating IP addresses
by adding an entry to /etc/hosts.deny file
on the server and prevents the IP address from making any further such login attempts.
DenyHosts is much needed tool for all Linux based systems, specially when we are allowingpassword
based ssh logins. In this article we are going to show you how to install and configure DenyHosts on RHEL
6.3/6.2/6.1/6/5.8, CentOS 6.3/6.2/6.1/6/5.8 andFedora
17,16,15,14,13,12 systems using epel repository.
See also :
-
Fail2ban
(Intrusion Prevention) System for SSH -
Disable
or Enable SSH Root Login -
Linux
Malware Detect (LMD)
Installing DenyHosts in RHEL, CentOS and Fedora
By default DenyHosts tool is not included in the Linux systems, we need to install it using third party EPEL
repository. Once added repository, install the package using followingYUM command.
# yum --enablerepo=epel install denyhostsORum install denyhosts# y
Configuring DenyHosts for Whitelist IP Addresses
Once the Denyhosts installed, make sure to whitelist your own IP address,
so you will never get locked out. To do this, open a file /etc/hosts.allow.
# vi /etc/hosts.allow
Below the description, add the each IP address one-by-one on a separate line, that you never want to block.
The format should be as follows.
## hosts.allow This file contains access rules which are used to# allow or deny connections to network services that# either use the tcp_wrappers library or that have been# started through a tcp_wrappers-enabled xinetd. #' # for information on rule syntax. ## See 'man 5 hosts_options' and 'man 5 hosts_acces sSee 'man tcpd' for information on tcp_wrappers #sshd: 172.16.25.125sshd: 172.16.25.126 sshd: 172.16.25.127
Configuring DenyHosts for Email Alerts
The main configuration file is located under /etc/denyhosts.conf. This file is used to send email alerts
about suspicious logins and restricted hosts. Open this file using VI editor.
# vi /etc/denyhosts.conf
Search for the ‘ADMIN_EMAIL‘ and add your email address here to receive email alerts about suspicious logins
(for multiple email alerts use comma separated). Please have a look at the configuration file of my CentOS 6.3 server. Each variable
is well documented so configure it according to your liking.
############ DENYHOSTS REQUIRED SETTINGS ############SECURE_LOG = /var/log/secureBLOCK_SERVICE = sshd DENY_THOSTS_DENY = /etc/hosts.deny HRESHOLD_INVALID = 5DENY_THRESHOLD_RESTRICTEDDENY_THRESHOLD_VALID = 10 DENY_THRESHOLD_ROOT = 1 = 1LLOWED_HOSTS=YES HOSTNAME_LOOWORK_DIR = /var/lib/denyhosts SUSPICIOUS_LOGIN_REPORT_ AKUP=YES LOCK_FILE = /var/lock/subsys/denyhosts#### ADMIN_EMAIL =############ DENYHOSTS OPTIONAL SETTINGS ########ravisaive@tecmint.comSMTP_HOST = localhostSMTP_PORT = 25yHosts <tecmint@tecmint.com>SMTP_FROM = De nMTP_SUBJECT = DenyHosts Daily ReportS########## DENYHOSTS OPTIONAL SETTINGS ############ D# #AEMON_LOG = /var/log/denyhosts DAEMON_SLEEP = 30s DAEMON_PURGE = 1h
Restarting DenyHosts Service
Once you’ve done with your configuration, restart the denyhosts service for new changes. We also add the denyhosts service
to system start-up.
# chkconfig denyhosts on# service denyhosts start
Watch DenyHosts Logs
To watch denyhosts ssh logs for how many attackers and hackers are attempted to gain access to your server. Use the following command
to view the real-time logs.
# tail -f /var/log/secure
Nov 28 15:01:43 tecmint sshd[25474]: Accepted password for root from 172.16.25.125 port 4339 ssh2Nov 28 15:01:43 tecmint sshd[25474]: pam_unix(sshd:session): session opened for user root by (uid=0)Nov 28 16:44:09 tecmint sshd[25474]: pam_unix(sshd:session): session closed for user root57 ssh2 Nov 29 11:08:56 tecmint sshd[31669]: pam_unix(sshd:session): session opened for user rootNov 29 11:08:56 tecmint sshd[31669]: Accepted password for root from 172.16.25.125 port 2 9 by (uid=0) Nov 29 11:12:00 tecmint atd[3417]: pam_unix(atd:session): session opened for user root by (uid=0)sshd[31669]: pam_unix(sshd:session): session closed for user root Nov 29 12:54:17 tecmNov 29 11:12:00 tecmint atd[3417]: pam_unix(atd:session): session closed for user root Nov 29 11:26:42 tecmintint sshd[7480]: Accepted password for root from 172.16.25.125 port 1787 ssh2
Remove Banned IP Address from DenyHosts
If you’ve ever blocked accidentally and want to remove that banned IP address from thedenyhosts.
You need to stop the service.
# /etc/init.d/denyhosts stop
To remove or delete banned IP address completely. You need to edit the following files and remove the IP
address.
# vi /etc/hosts.deny# vi /var/lib/denyhosts/hosts# vi /var/lib/denyhosts/hosts-restricted# vi /var/lib/denyhosts/hosts-root# vi /var/lib/denyhosts/users-host# vi /var/lib/denyhosts/hosts-valids
After removing the banned IP Address, restart the service again.
# /etc/init.d/denyhosts start
The offending IP address added to all the files under /var/lib/denyhosts directory, so it’s makes very difficult to determine the which
files contain the offending IP address. One of the best way to find out the IP address using grep command. For example to find out
IP address172.16.25.125, do.
cd /var/lib/denyhostsgrep 172.16.25.125 *
Whitelist IP Addresses Permanently in DenyHosts
If you’ve list of static IP address that you want to whitelist permanently. Open the file/var/lib/denyhosts/allowed-hosts file. Whatever
IP address included in this file will not be banned by default (consider this as a whilelist).
# vi /var/lib/denyhosts/allowed-hosts
And add the each IP address on separate line. Save and close the file.
# We mustn't block localhost127.0.0.1 172.16.25.125127172.16.25.126 172.16.25.