DenyHosts - Preventing Brute Forced Attacks
SSH Brute Force Attacks Protection using DenyHosts
You can easily block SSH server attacks including dictionary based attacks and brute force attacks using a Python based script – DenyHosts. It analyzes the sshd log messages to determine what hosts or IPs are attempting to hack into your system.
STEP 1: Open the package manager and install denyhosts STEP 2: Configure Denyhosts
The default configuration file is located at /etc/denyhosts/denyhosts.cfg. You need to allow yourself access sshd.
Using your favorite text editor. Open /etc/hosts.allow (must be root user) and add the following line. sshd:<your ip number> For Example: sshd:127.0.0.0 <-- this is the localhost feedback loop Save and close the file.
STEP 3: Open denyhosts.cfg and change admin email. You will get an email on newly restricted hosts and IPs. If you do not want, leave it with #. Use your favorite text editor and open /etc/denyhosts/denyhosts.cfg and edit this line
- ADMIN_EMAIL = email@example.com
Save and close the file.
Your configuration file should look something like this:
- THESE SETTINGS ARE REQUIRED ############
SECURE_LOG = /var/log/secure HOSTS_DENY = /etc/hosts.deny
- PURGE_DENY = 7d (This will never delete or purge entries)
BLOCK_SERVICE = sshd DENY_THRESHOLD_INVALID = 3 DENY_THRESHOLD_VALID = 5 DENY_THRESHOLD_ROOT = 1 DENY_THRESHOLD_RESTRICTED = 1 WORK_DIR = /usr/share/denyhosts/data SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES HOSTNAME_LOOKUP=YES LOCK_FILE = /var/lock/subsys/denyhosts
- THESE SETTINGS ARE OPTIONAL ############
ADMIN_EMAIL = firstname.lastname@example.org SMTP_HOST = localhost SMTP_PORT = 25 SMTP_FROM = DenyHosys <nobody@localhost> SMTP_SUBJECT = DenyHosts Report of your “System Name” AGE_RESET_VALID=5d AGE_RESET_ROOT=25d AGE_RESET_RESTRICTED=25d AGE_RESET_INVALID=10d
- THESE SETTINGS ARE SPECIFIC TO DAEMON MODE ##########
DAEMON_LOG = /var/log/denyhosts DAEMON_SLEEP = 30s DAEMON_PURGE = 1h
Now, start this utility by executing, in a console window as the root user type in:
service denyhosts start
Removing a blocked IP
If your IP is blocked and you want to remove it, follow below steps to remove your IP from DenyHosts Database.
STEP 1: Stop DenyHosts first, in a console window as the root user type in:
service denyhosts stop
STEP 2: Remove Your IP From /etc/hosts.deny
In your favorite text editor open /etc/hosts.deny Delete your IP address. Save and close the file.
STEP 3: Remove Your IP From /usr/share/denyhosts/data Directory.
You need to edit the following files using your favorite text editor and remove the lines containing the IP address.
1.hosts 2.hosts-restricted 3.hosts-root 4.hosts-valid 5.users-hosts
Save the file.
STEP 4: Start DenyHosts by executing, in a console window as the root user type in:
service denyhosts start
That’s it…! You can access ssh service with same IP, which was earlier blocked ! Category: HowTo