How to: Block SSH attacks with denyhosts

How to set up denyhosts python script to block SSH attacks on Sabayon 4.1 KDE

**This is a legacy article which does not meet some of our quality standards. While it may contain useful information, is retained here for legacy reasons only.**

Summary

This is a great way to fix those annoying hacking attempts in your /var/log/messages file.  I get ton’s of attempts like the below as an example.  The whois queries all say they come from Russia and according to the firewall is creating the most traffic accross my router.  So this is why you use Denyhosts.  I did used to use blockhosts (also in python) but denyhosts is supposed to be better so I thought I’d give it a go.

Jun  1 12:12:50 Donald sshd[23635]: Invalid user yonamine from 189.50.198.218
Jun  1 12:12:58 Donald sshd[23674]: Invalid user yonchun from 189.50.198.218
Jun  1 12:13:07 Donald sshd[23724]: Invalid user yoneda from 189.50.198.218
Jun  1 12:13:15 Donald sshd[23765]: Invalid user yoneko from 189.50.198.218
Jun  1 12:13:24 Donald sshd[23807]: Invalid user yonekura from 189.50.198.218
Jun  1 12:13:33 Donald sshd[23851]: Invalid user yonemitsu from 189.50.198.218
Jun  1 12:13:41 Donald sshd[23895]: Invalid user yonemoto from 189.50.198.218

Get the source code

Download the latest source tarball of Denyhosts from http://denyhosts.sourceforge.net (at time of writing this is version 2.6)

Extract it

tar -zxvf Denyhostsxxxx.tar.gz

$ cd denyhostsxxx

$ su (become root)

Configure syslog-ng

# vi /etc/syslog-ng/syslog-ng.conf

Underneath the line that reads: “destination messages { file(“/var/log/messages”); };”

Enter the following:

destination authlog { file("/var/log/auth.log"); };

Save the file and exit

# touch /var/log/auth.log

# /etc/init.d/syslog-ng restart

Configure denyhosts

# cd /usr/share/denyhosts/

# python setup.py install

This installs DenyHosts to /usr/share/denyhosts

# cp denyhosts.cfg-dist denyhosts.cfg

Edit the denyhosts.cfg file

# vi /usr/share/denyhosts/denyhosts.cfg

Ensure the SECURE_LOG line reads as below

SECURE_LOG = /var/log/auth.log

Also ensure the lock file reads

LOCK_FILE = /var/run/denyhosts.pid

Save the file and exit.

Make it daemonise

# cd /usr/share/denyhosts/

# cp daemon-control-dist daemon-control

Edit /usr/share/denyhosts/daemon-control and make sure you set the correct values for DENYHOSTS_BIN, DENYHOSTS_LOCK, and DENYHOSTS_CFG. (Should just be the lock file that needs to be changed)

# vi /usr/share/denyhosts/daemon-control

DENYHOSTS_BIN = “/usr/bin/denyhosts.py”
DENYHOSTS_LOCK = “/var/run/denyhosts.pid”
DENYHOSTS_CFG = “/usr/share/denyhosts/denyhosts.cfg

Next we have to make that file executable:

# chown root /usr/share/denyhosts/daemon-control

# chmod 700 /usr/share/denyhosts/daemon-control

Make it start automatically at system boot time

Afterwards, we create the system bootup links for DenyHosts do that it is started automatically when the system is booted:

# cd /etc/init.d
# ln -s /usr/share/denyhosts/daemon-control denyhosts
# rc-update add denyhosts default

Finally, we start DenyHosts:

/etc/init.d/denyhosts start

That’s it!

Further info

DenyHosts logs to /var/log/denyhosts, if you are interested in the logs. The SSH daemon logs to /var/log/auth.log on Sabayon. You can watch both logs and try to log in with an invalid user or with a valid user and incorrect password, etc. via SSH and see what happens. After you have crossed the threshold of incorrect login attempts, the IP address from which you tried to connect should get listed in /etc/hosts.deny, like this:

# /etc/hosts.deny: list of hosts that are _not_ allowed to access the system.
#                  See the manual pages hosts_access(5), hosts_options(5)
#                  and /usr/doc/netbase/portmapper.txt.gz
#
# Example:    ALL: some.host.name, .some.domain
#             ALL EXCEPT in.fingerd: other.host.name, .other.domain
#
# If you're going to protect the portmapper use the name "portmap" for the
# daemon name. Remember that you can only use the keyword "ALL" and IP
# addresses (NOT host or domain names) for the portmapper. See portmap(8)
# and /usr/doc/portmap/portmapper.txt.gz for further information.
#
# The PARANOID wildcard matches any host whose name does not match its
# address.
# You may wish to enable this to ensure any programs that don't
# validate looked up hostnames still leave understandable logs. In past
# versions of Debian this has been the default, not sure about Gentoo/Sabayon?
# ALL: PARANOID
sshd: 192.168.0.203

This means that the system with the IP address 192.168.0.203 cannot connect anymore using SSH.

You can specify if/when IP addresses are removed again from /etc/hosts.deny – have a look at the PURGE_DENY variable in /usr/share/denyhosts/denyhosts.cfg. You must start DenyHosts with the –purge option to make the PURGE_DENY variable effective, like this:

# /etc/init.d/denyhosts start –purge

However, you can also remove IP addresses manually from there, and as soon as they have got removed, these IP addresses can try to log in again via SSH.

Sources: http://www.howtoforge.com/preventing_ssh_dictionary_attacks_with_denyhosts