Prevent SSH password attacks using denyhosts package

When I saw this in my daily log report. I was like WTF! Script kiddies are having fun. Little bit of Googling and I installed the denyhosts package on Feodra Core 7. Here’s the step by step guide.

shell>yum install denyhosts
shell>/etc/init.d/denyhosts start

Most probably denyhosts is going to run on server restarts. However, make sure that’s the case by

shell>chkconfig denyhosts on

The denyhosts package watches the /var/log/secure log file at a fixed interval and then when it finds a match (like illegal login attempts, etc.) it adds an entry in the /etc/hosts.deny file. The /etc/hosts.deny file contains pairs of entries in network daemon, client ip (or hostname) format which looks like this:

daemon_name: X.Y.Z.W
 
After installing the denyhosts package, you can tweak the configuration by modifying the /etc/denyhosts.conf file. Here’s what I changed essentially


#Block the host after 3 failed attempts
#for non-existing logins
DENY_THRESHOLD_INVALID = 3
#Block the host after 5 failed
#attempts of existing logins
DENY_THRESHOLD_VALID = 5
#Block after 3 failed attempts for root login.
#Ideally, you should disable root login for ssh
DENY_THRESHOLD_ROOT = 3
#Good idea to capture the host name from IP
HOSTNAME_LOOKUP=YES
#I left this blank as we capture the
#reports via logwatch
ADMIN_EMAIL =

Here’s what my /etc/hosts.deny looked like after a few days

# DenyHosts: Sun Sep 7 06:00:08 2008 | sshd: 210.51.1.231
sshd: 210.51.1.231
# DenyHosts: Sun Sep 7 18:34:01 2008 | sshd: 117.36.50.66
sshd: 117.36.50.66
# DenyHosts: Mon Sep 8 05:05:04 2008 | sshd: 218.4.150.50
sshd: 218.4.150.50
# DenyHosts: Tue Sep 9 01:36:18 2008 | sshd: 12.174.168.124
sshd: 12.174.168.124

Don’t forget to restart denyhosts if you change the config file.