Difference between revisions of "DenyHosts Setup"

From PCLinuxOSHelp Knowledge Base
Jump to: navigation, search
(Created page with " DenyHosts - Preventing Brute Forced Attacks SSH Brute Force Attacks Protection using DenyHosts You can easily block SSH server attacks including dictionary based attacks an...")
 
Line 1: Line 1:
DenyHosts - Preventing Brute Forced Attacks
+
=== DenyHosts - Preventing Brute Forced Attacks ===
  
SSH Brute Force Attacks Protection using DenyHosts
+
'''SSH Brute Force Attacks Protection using DenyHosts'''
  
You can easily block SSH server attacks including dictionary based attacks and brute force attacks using a Python based script – DenyHosts. It analyzes the sshd log messages to
+
You can easily block SSH server attacks including dictionary based attacks and brute force attacks using a Python based script – DenyHosts. It analyzes the sshd log messages to determine what hosts or IPs are attempting to hack into your system.
determine what hosts or IPs are attempting to hack into your system.
 
  
STEP 1: Open the package manager and install denyhosts
+
'''''STEP 1:''''' Open the package manager and install denyhosts<br>
STEP 2: Configure Denyhosts
+
'''''STEP 2:''''' Configure Denyhosts
  
The default configuration file is located at /etc/denyhosts/denyhosts.cfg. You need to allow yourself access sshd.
+
The default configuration file is located at '''''/etc/denyhosts/denyhosts.cfg'''''. You need to allow yourself access sshd.
  
Using your favorite text editor.
+
Using your favorite text editor.<br>
Open /etc/hosts.allow (must be root user) and add the following line.
+
Open '''''/etc/hosts.allow''''' (must be root user) and add the following line.<br>
sshd:<your ip number>
+
'''''sshd:<your ip number>'''''<br>
For Example: sshd:127.0.0.0 <-- this is the localhost feedback loop
+
For Example: ''sshd:127.0.0.0'' <-- this is the localhost feedback loop<br>
 
Save and close the file.
 
Save and close the file.
  
STEP 3: Open denyhosts.cfg and change admin email. You will get an email on newly restricted hosts and IPs. If you do not want, leave it with #. Use your favorite text editor and
+
'''''STEP 3:''''' Open denyhosts.cfg and change admin email. You will get an email on newly restricted hosts and IPs. If you do not want, leave it with #. Use your favorite text editor and open '''''/etc/denyhosts/denyhosts.cfg''''' and edit this line.
open /etc/denyhosts/denyhosts.cfg and edit this line
 
  
# ADMIN_EMAIL =  youremail@yourdomain.com
+
'' # ADMIN_EMAIL =  youremail@yourdomain.com''
  
 
Save and close the file.
 
Save and close the file.
  
 
Your configuration file should look something like this:
 
Your configuration file should look something like this:
 
+
<pre>
 
############ THESE SETTINGS ARE REQUIRED ############
 
############ THESE SETTINGS ARE REQUIRED ############
 
SECURE_LOG = /var/log/secure
 
SECURE_LOG = /var/log/secure
Line 53: Line 51:
 
DAEMON_SLEEP = 30s
 
DAEMON_SLEEP = 30s
 
DAEMON_PURGE = 1h
 
DAEMON_PURGE = 1h
 
+
</pre>
  
 
Now, start this utility by executing, in a console window as the root user type in:
 
Now, start this utility by executing, in a console window as the root user type in:
  
service denyhosts start
+
'''''service denyhosts start'''''
  
  
Removing a blocked IP
+
=== Removing a blocked IP ===
  
 
If your IP is blocked and you want to remove it, follow below steps to remove your IP from DenyHosts Database.
 
If your IP is blocked and you want to remove it, follow below steps to remove your IP from DenyHosts Database.
  
STEP 1: Stop DenyHosts first, in a console window as the root user type in:
+
'''''STEP 1:''''' Stop DenyHosts first, in a console window as the root user type in:
  
service denyhosts stop
+
'''''service denyhosts stop'''''
  
STEP 2: Remove Your IP From /etc/hosts.deny
+
'''''STEP 2:'''' Remove Your IP From /etc/hosts.deny
  
In your favorite text editor open /etc/hosts.deny
+
In your favorite text editor open '''''/etc/hosts.deny'''''<br>
Delete your IP address.
+
Delete your IP address.<br>
 
Save and close the file.
 
Save and close the file.
  
STEP 3: Remove Your IP From /usr/share/denyhosts/data Directory.
+
'''''STEP 3:''''' Remove Your IP From ''/usr/share/denyhosts/data'' Directory.
  
cd /usr/share/denyhosts/data
+
'''''cd /usr/share/denyhosts/data'''''
  
 
You need to edit the following files using your favorite text editor and remove the lines containing the IP address.
 
You need to edit the following files using your favorite text editor and remove the lines containing the IP address.
 
+
<pre>
 
1.hosts
 
1.hosts
 
2.hosts-restricted
 
2.hosts-restricted
Line 85: Line 83:
 
4.hosts-valid
 
4.hosts-valid
 
5.users-hosts
 
5.users-hosts
 +
</pre>
 +
'''''Save the file.'''''
 +
 +
'''''STEP 4:''''' Start DenyHosts by executing, in a console window as the root user type in:
 +
 +
'''''service denyhosts start'''''
  
Save the file.
+
'''''That’s it…!''''' You can access ssh service with same IP, which was earlier blocked !
  
  
STEP 4: Start DenyHosts by executing, in a console window as the root user type in:
 
  
service denyhosts start
 
  
  
That’s it…! You can access ssh service with same IP, which was earlier blocked !
+
[[category:HowTo]]
Category: HowTo
 

Revision as of 20:46, 16 April 2018

DenyHosts - Preventing Brute Forced Attacks

SSH Brute Force Attacks Protection using DenyHosts

You can easily block SSH server attacks including dictionary based attacks and brute force attacks using a Python based script – DenyHosts. It analyzes the sshd log messages to determine what hosts or IPs are attempting to hack into your system.

STEP 1: Open the package manager and install denyhosts
STEP 2: Configure Denyhosts

The default configuration file is located at /etc/denyhosts/denyhosts.cfg. You need to allow yourself access sshd.

Using your favorite text editor.
Open /etc/hosts.allow (must be root user) and add the following line.
sshd:<your ip number>
For Example: sshd:127.0.0.0 <-- this is the localhost feedback loop
Save and close the file.

STEP 3: Open denyhosts.cfg and change admin email. You will get an email on newly restricted hosts and IPs. If you do not want, leave it with #. Use your favorite text editor and open /etc/denyhosts/denyhosts.cfg and edit this line.

# ADMIN_EMAIL = youremail@yourdomain.com

Save and close the file.

Your configuration file should look something like this:

############ THESE SETTINGS ARE REQUIRED ############
SECURE_LOG = /var/log/secure
HOSTS_DENY = /etc/hosts.deny
# PURGE_DENY = 7d (This will never delete or purge entries)
BLOCK_SERVICE = sshd
DENY_THRESHOLD_INVALID = 3
DENY_THRESHOLD_VALID = 5
DENY_THRESHOLD_ROOT = 1
DENY_THRESHOLD_RESTRICTED = 1
WORK_DIR = /usr/share/denyhosts/data
SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES
HOSTNAME_LOOKUP=YES
LOCK_FILE = /var/lock/subsys/denyhosts
############ THESE SETTINGS ARE OPTIONAL ############
ADMIN_EMAIL = youremail@yourdomain.com
SMTP_HOST = localhost
SMTP_PORT = 25
SMTP_FROM = DenyHosys <nobody@localhost>
SMTP_SUBJECT = DenyHosts Report of your “System Name”
AGE_RESET_VALID=5d
AGE_RESET_ROOT=25d
AGE_RESET_RESTRICTED=25d
AGE_RESET_INVALID=10d
######### THESE SETTINGS ARE SPECIFIC TO DAEMON MODE ##########
DAEMON_LOG = /var/log/denyhosts
DAEMON_SLEEP = 30s
DAEMON_PURGE = 1h

Now, start this utility by executing, in a console window as the root user type in:

service denyhosts start


Removing a blocked IP

If your IP is blocked and you want to remove it, follow below steps to remove your IP from DenyHosts Database.

STEP 1: Stop DenyHosts first, in a console window as the root user type in:

service denyhosts stop

STEP 2:' Remove Your IP From /etc/hosts.deny

In your favorite text editor open /etc/hosts.deny
Delete your IP address.
Save and close the file.

STEP 3: Remove Your IP From /usr/share/denyhosts/data Directory.

cd /usr/share/denyhosts/data

You need to edit the following files using your favorite text editor and remove the lines containing the IP address.

1.hosts
2.hosts-restricted
3.hosts-root
4.hosts-valid
5.users-hosts

Save the file.

STEP 4: Start DenyHosts by executing, in a console window as the root user type in:

service denyhosts start

That’s it…! You can access ssh service with same IP, which was earlier blocked !