Archive for September, 2008

Prevent SSH password attacks using denyhosts package

Wednesday, September 10th, 2008

When I saw this in my daily log report. I was like WTF! Script kiddies are having fun. Little bit of Googling and I installed the denyhosts package on Feodra Core 7. Here’s the step by step guide.

shell>yum install denyhosts
shell>/etc/init.d/denyhosts start

Most probably denyhosts is going to run on server restarts. However, make sure that’s the case by

shell>chkconfig denyhosts on

The denyhosts package watches the /var/log/secure log file at a fixed interval and then when it finds a match (like illegal login attempts, etc.) it adds an entry in the /etc/hosts.deny file. The /etc/hosts.deny file contains pairs of entries in network daemon, client ip (or hostname) format which looks like this:

daemon_name: X.Y.Z.W
After installing the denyhosts package, you can tweak the configuration by modifying the /etc/denyhosts.conf file. Here’s what I changed essentially

#Block the host after 3 failed attempts
#for non-existing logins
#Block the host after 5 failed
#attempts of existing logins
#Block after 3 failed attempts for root login.
#Ideally, you should disable root login for ssh
#Good idea to capture the host name from IP
#I left this blank as we capture the
#reports via logwatch

Here’s what my /etc/hosts.deny looked like after a few days

# DenyHosts: Sun Sep 7 06:00:08 2008 | sshd:
# DenyHosts: Sun Sep 7 18:34:01 2008 | sshd:
# DenyHosts: Mon Sep 8 05:05:04 2008 | sshd:
# DenyHosts: Tue Sep 9 01:36:18 2008 | sshd:

Don’t forget to restart denyhosts if you change the config file.