{"id":245,"date":"2008-09-10T10:12:21","date_gmt":"2008-09-10T18:12:21","guid":{"rendered":"http:\/\/www.khaitan.org\/blog\/?p=245"},"modified":"2008-09-10T10:12:21","modified_gmt":"2008-09-10T18:12:21","slug":"prevent-ssh-password-attacks-using-denyhosts-package","status":"publish","type":"post","link":"https:\/\/www.khaitan.org\/blog\/2008\/09\/prevent-ssh-password-attacks-using-denyhosts-package\/","title":{"rendered":"Prevent SSH password attacks using denyhosts package"},"content":{"rendered":"

\"\"<\/a><\/p>\n

When I saw this in my daily log report. I was like WTF! Script kiddies are having fun. Little bit of Googling and I installed the denyhosts package on Feodra Core 7. Here’s the step by step guide.<\/p>\n

shell>yum install denyhosts
\nshell>\/etc\/init.d\/denyhosts start<\/code><\/p>\n

Most probably denyhosts is going to run on server restarts. However, make sure that’s the case by<\/p>\n

shell>chkconfig denyhosts on<\/code><\/p>\n

The denyhosts package watches the \/var\/log\/secure log file at a fixed interval and then when it finds a match (like illegal login attempts, etc.) it adds an entry in the \/etc\/hosts.deny<\/a> file. The \/etc\/hosts.deny file contains pairs of entries in network daemon, client ip (or hostname) format which looks like this:<\/p>\n

daemon_name: X.Y.Z.W<\/code>
\n\u00a0
\nAfter installing the denyhosts package, you can tweak the configuration by modifying the \/etc\/denyhosts.conf file. Here’s what I changed essentially<\/p>\n


\n#Block the host after 3 failed attempts
\n#for non-existing logins
\nDENY_THRESHOLD_INVALID = 3
\n#Block the host after 5 failed
\n#attempts of existing logins
\nDENY_THRESHOLD_VALID = 5
\n#Block after 3 failed attempts for root login.
\n#Ideally, you should disable root login for ssh
\nDENY_THRESHOLD_ROOT = 3
\n#Good idea to capture the host name from IP
\nHOSTNAME_LOOKUP=YES
\n#I left this blank as we capture the
\n#reports via logwatch
\nADMIN_EMAIL =
\n<\/code><\/p>\n

Here’s what my \/etc\/hosts.deny looked like after a few days<\/p>\n

# DenyHosts: Sun Sep 7 06:00:08 2008 | sshd: 210.51.1.231
\nsshd: 210.51.1.231
\n# DenyHosts: Sun Sep 7 18:34:01 2008 | sshd: 117.36.50.66
\nsshd: 117.36.50.66
\n# DenyHosts: Mon Sep 8 05:05:04 2008 | sshd: 218.4.150.50
\nsshd: 218.4.150.50
\n# DenyHosts: Tue Sep 9 01:36:18 2008 | sshd: 12.174.168.124
\nsshd: 12.174.168.124<\/code><\/p>\n

Don’t forget to restart denyhosts if you change the config file.<\/p>\n","protected":false},"excerpt":{"rendered":"

When I saw this in my daily log report. I was like WTF! Script kiddies are having fun. Little bit of Googling and I installed the denyhosts package on Feodra Core 7. Here’s the step by step guide. shell>yum install denyhosts shell>\/etc\/init.d\/denyhosts start Most probably denyhosts is going to run on server restarts. However, make […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[98],"tags":[],"_links":{"self":[{"href":"https:\/\/www.khaitan.org\/blog\/wp-json\/wp\/v2\/posts\/245"}],"collection":[{"href":"https:\/\/www.khaitan.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.khaitan.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.khaitan.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.khaitan.org\/blog\/wp-json\/wp\/v2\/comments?post=245"}],"version-history":[{"count":0,"href":"https:\/\/www.khaitan.org\/blog\/wp-json\/wp\/v2\/posts\/245\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.khaitan.org\/blog\/wp-json\/wp\/v2\/media?parent=245"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.khaitan.org\/blog\/wp-json\/wp\/v2\/categories?post=245"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.khaitan.org\/blog\/wp-json\/wp\/v2\/tags?post=245"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}