Home   Profile   Fun
#153 Linux  07.01.2008

Block SSH login attempts with denyhosts


Denyhosts is another simple means to enhance the security of a Linux server. If for any reason you still use SSH login with user name and password instead of [public key authentication] or certificate based authentication you might find denyhosts very useful. It blocks SSH login attempts from hackers.
If you look into /var/log/messages you will probably see hundreds of these lines:
...
Jan 21 08:00:33 xyz sshd[10834]: Invalid user test from xxx.xxx.xxx.xxx
Jan 21 08:00:33 xyz sshd[10844]: Invalid user info from xxx.xxx.xxx.xxx
Jan 21 08:00:33 xyz sshd[10854]: Invalid user peter from xxx.xxx.xxx.xxx
...

Every line stands for one attempt to hack the system. Usually there are many break-in attempts from the same IP address. If have seen servers which were constantly flooded with 2-5 SSH attacks per second!

So what denyhosts does is simply looking for failed SSH login attempts from the same IP address and creating records in /etc/hosts.deny accordingly to block further access from this IP address. Denyhosts is very flexible. Basically you can define the number of allowed failed login attempts before the IP is blocked. After a while hosts.deny is purged again from these records and you can define when this should happen. You can even download hosts.deny records automatically from xmlrpc.denyhosts.net if you want.

To install denyhosts on Gentoo we proceed as usual.
emerge -va denyhosts
rc-update add denyhosts default

The configuration file has very good descriptions of all available options. The default values are suitable for most environments. The only thing we do here is to set the admin email address so that we get informed about blocked IPs. 
vi /etc/denyhosts.conf
ADMIN_EMAIL = admin@domain

The start of the daemon takes some time because it analyses the current sshd log file and creates records in /etc/hosts.deny.
/etc/init.d/denyhosts start

The daemon writes its own logs into /var/log/denyhosts.


To make sure it works as expected try to log into your system and provide a wrong password or user name. Do this a few times. Per default after the fifth attempt you should see the following message: 
h1:~ # ssh abc@domain
ssh_exchange_identification: Connection closed by remote host

To immediately allow the access from a blocked host just remove the two records from /etc/hosts.deny.


Apache hardening
IDS/IPS systems with Snort
SELinux Training