Planet Malaysia Blog

DenyHosts is a script intended to be run by Linux system administrators to help thwart SSH server attacks. If it finds failed login attempts again and again from the same IP address, DenyHosts blocks further login attempts from that IP address by putting it into /etc/hosts.deny. DenyHosts can be run by cron or as a daemon. In this tutorial I will run DenyHosts as a daemon.

If you’ve ever looked at your SSH log (/var/log/secure on Redhat & etc…) you may be alarmed to see how many hackers attempted to gain access to your server.

Installation:

Note: DenyHosts require Python2.3 & Python2.3-dev.

1. Download source from http://denyhosts.sourceforge.net
2. Type tar xvfz DenyHosts-2.0.tar.gz
3. Type cd DenyHosts-2.0
4. Type python setup.py install
5. Installs DenyHosts will go to /usr/share/denyhosts.
6. Type cd /usr/share/denyhosts
7. Type cp denyhosts.cfg-dist denyhosts.cfg
8. Type vi /usr/share/denyhosts/denyhosts.cfg
9. Make sure you set SECURE_LOG and LOCK_FILE to the correct values for your distribution!
10. Type cp daemon-control-dist daemon-control
11. Edit /usr/share/denyhosts/daemon-control and make sure you set the correct values for ‘DENYHOSTS_BIN’, ‘DENYHOSTS_LOCK’, and ‘DENYHOSTS_CFG’.
12. Type chown root daemon-control
13. Type chmod 700 daemon-control
14. Type cd /etc/init.d
15. Type ln - s /usr/share/denyhosts/daemon-control denyhosts
16. Type chkconfig –add denyhosts
17. Type chkconfig denyhosts on
18. Finally, we start DenyHosts: /etc/init.d/denyhosts start
19. DenyHosts logs to /var/log/denyhosts
20. If you are interested in the logs, you can watch both logs and try to log in with an invalid user or with a valid user and incorrect password, etc. via SSH and see what happens. After you have crossed the threshold of incorrect login attempts, the IP address from which you tried to connect should get listed in /etc/hosts.deny
21.You can specify if/when IP addresses are removed again from /etc/hosts.deny - have a look at the PURGE_DENY variable in /usr/share/denyhosts/denyhosts.cfg. You must start DenyHosts with the –purge option to make the PURGE_DENY variable effective, like this:
/etc/init.d/denyhosts start –purge
22. However, you can also remove IP addresses manually from there, and as soon as they have got removed, these IP addresses can try to log in again via SSH.

Read DenyHosts FAQ here for more information.

Possibly Related Posts:

• RSS Feed Submissions
• Geo Positions
• Interesting about Google Suggest
• Setup a Linux Highly Availability NFS servers
• How to find empty folders on Linux