{"id":11539,"date":"2019-03-14T11:44:38","date_gmt":"2019-03-14T11:44:38","guid":{"rendered":"http:\/\/www.appservgrid.com\/paw92\/?p=11539"},"modified":"2019-03-14T11:44:38","modified_gmt":"2019-03-14T11:44:38","slug":"block-ssh-server-attacks-brute-force-attacks-using-denyhosts","status":"publish","type":"post","link":"https:\/\/www.appservgrid.com\/paw92\/index.php\/2019\/03\/14\/block-ssh-server-attacks-brute-force-attacks-using-denyhosts\/","title":{"rendered":"Block SSH Server Attacks (Brute Force Attacks) Using DenyHosts"},"content":{"rendered":"

DenyHosts<\/strong>\u00a0is an open source and free log-based intrusion prevention security program for\u00a0SSH<\/strong>\u00a0servers developed in\u00a0Python<\/strong>\u00a0language by\u00a0Phil Schwartz<\/strong>. It is intended to monitor and analyzes SSH server logs for invalid login attempts, dictionary based attacks and brute force attacks by blocking the originating\u00a0IP<\/strong>\u00a0addresses by adding an entry to\u00a0\/etc\/hosts.deny<\/strong>\u00a0file on the server and prevents the IP address from making any further such login attempts.<\/p>\n

\n

\"Block<\/a><\/p>\n

Install DenyHosts to Block SSH Attacks<\/p>\n<\/div>\n

DenyHosts<\/strong>\u00a0is much needed tool for all Linux based systems, specially when we are allowing\u00a0password based ssh logins<\/a>. In this article we are going to show you how to install and configure\u00a0DenyHosts<\/strong>\u00a0on\u00a0RHEL 6.3\/6.2\/6.1\/6\/5.8<\/strong>,\u00a0CentOS 6.3\/6.2\/6.1\/6\/5.8<\/strong>\u00a0and\u00a0Fedora 17,16,15,14,13,12<\/strong>\u00a0systems using epel repository.<\/p>\n

See also<\/strong>\u00a0:<\/p>\n

    \n
  1. Fail2ban (Intrusion Prevention) System for SSH<\/a><\/li>\n
  2. Disable or Enable SSH Root Login<\/a><\/li>\n
  3. Linux Malware Detect (LMD)<\/a><\/li>\n<\/ol>\n

    Installing DenyHosts in RHEL, CentOS and Fedora<\/h3>\n

    By default\u00a0DenyHosts<\/strong>\u00a0tool is not included in the Linux systems, we need to install it using third party\u00a0EPEL repository<\/a>. Once added repository, install the package using following\u00a0YUM<\/strong>\u00a0command.<\/p>\n

    # yum --enablerepo=epel install denyhosts\r\nOR\r\n# yum install denyhosts<\/pre>\n
    Configuring DenyHosts for Whitelist IP Addresses<\/h3>\n
    Once the\u00a0Denyhosts<\/strong>\u00a0installed, make sure to whitelist your own\u00a0IP<\/strong>\u00a0address, so you will never get locked out. To do this, open a file\u00a0\/etc\/hosts.allow<\/strong>.<\/p>\n
    # vi \/etc\/hosts.allow<\/pre>\n
    Below the description, add the each\u00a0IP address<\/strong>\u00a0one-by-one on a separate line, that you never want to block. The format should be as follows.<\/p>\n
    #\r\n# hosts.allow   This file contains access rules which are used to\r\n#               allow or deny connections to network services that\r\n#               either use the tcp_wrappers library or that have been\r\n#               started through a tcp_wrappers-enabled xinetd.\r\n#\r\n#               See 'man 5 hosts_options' and 'man 5 hosts_access'\r\n#               for information on rule syntax.\r\n#               See 'man tcpd' for information on tcp_wrappers\r\n#\r\nsshd: 172.16.25.125<\/strong>\r\nsshd: 172.16.25.126<\/strong>\r\nsshd: 172.16.25.127<\/strong><\/pre>\n
    Configuring DenyHosts for Email Alerts<\/h3>\n
    The main configuration file is located under\u00a0\/etc\/denyhosts.conf<\/strong>. This file is used to send email alerts about suspicious logins and restricted hosts. Open this file using\u00a0VI<\/strong>\u00a0editor.<\/p>\n
    # vi \/etc\/denyhosts.conf<\/pre>\n
    Search for the\u00a0\u2018ADMIN_EMAIL<\/strong>\u2018 and add your email address here to receive email alerts about suspicious logins (for multiple email alerts use comma separated). Please have a look at the configuration file of my\u00a0CentOS 6.3<\/strong>server. Each variable is well documented so configure it according to your liking.<\/p>\n
    ############ DENYHOSTS REQUIRED SETTINGS ############\r\nSECURE_LOG = \/var\/log\/secure\r\nHOSTS_DENY = \/etc\/hosts.deny\r\nBLOCK_SERVICE  = sshd\r\nDENY_THRESHOLD_INVALID = 5\r\nDENY_THRESHOLD_VALID = 10\r\nDENY_THRESHOLD_ROOT = 1\r\nDENY_THRESHOLD_RESTRICTED = 1\r\nWORK_DIR = \/var\/lib\/denyhosts\r\nSUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES\r\nHOSTNAME_LOOKUP=YES\r\nLOCK_FILE = \/var\/lock\/subsys\/denyhosts\r\n\r\n############ DENYHOSTS OPTIONAL SETTINGS ############\r\nADMIN_EMAIL = ravisaive@tecmint.com<\/strong>\r\nSMTP_HOST = localhost\r\nSMTP_PORT = 25\r\nSMTP_FROM = DenyHosts <tecmint@tecmint.com><\/strong>\r\nSMTP_SUBJECT = DenyHosts Daily Report\r\n\r\n############ DENYHOSTS OPTIONAL SETTINGS ############\r\nDAEMON_LOG = \/var\/log\/denyhosts\r\nDAEMON_SLEEP = 30s\r\nDAEMON_PURGE = 1h<\/pre>\n
    Restarting DenyHosts Service<\/h3>\n
    Once you\u2019ve done with your configuration, restart the\u00a0denyhosts<\/strong>\u00a0service for new changes. We also add the\u00a0denyhosts<\/strong>\u00a0service to system start-up.<\/p>\n
    # chkconfig denyhosts on\r\n# service denyhosts start<\/pre>\n
    Watch DenyHosts Logs<\/h3>\n
    To watch\u00a0denyhosts<\/strong>\u00a0ssh logs for how many attackers and hackers are attempted to gain access to your server. Use the following command to view the real-time logs.<\/p>\n
    # tail -f \/var\/log\/secure<\/pre>\n
    Nov 28 15:01:43 tecmint sshd[25474]: Accepted password for root from 172.16.25.125 port 4339 ssh2\r\nNov 28 15:01:43 tecmint sshd[25474]: pam_unix(sshd:session): session opened for user root by (uid=0)\r\nNov 28 16:44:09 tecmint sshd[25474]: pam_unix(sshd:session): session closed for user root\r\nNov 29 11:08:56 tecmint sshd[31669]: Accepted password for root from 172.16.25.125 port 2957 ssh2\r\nNov 29 11:08:56 tecmint sshd[31669]: pam_unix(sshd:session): session opened for user root by (uid=0)\r\nNov 29 11:12:00 tecmint atd[3417]: pam_unix(atd:session): session opened for user root by (uid=0)\r\nNov 29 11:12:00 tecmint atd[3417]: pam_unix(atd:session): session closed for user root\r\nNov 29 11:26:42 tecmint sshd[31669]: pam_unix(sshd:session): session closed for user root\r\nNov 29 12:54:17 tecmint sshd[7480]: Accepted password for root from 172.16.25.125 port 1787 ssh2<\/pre>\n
    Remove Banned IP Address from DenyHosts<\/h3>\n
    If you\u2019ve ever blocked accidentally and want to remove that banned\u00a0IP address<\/strong>\u00a0from the\u00a0denyhosts<\/strong>. You need to stop the service.<\/p>\n
    # \/etc\/init.d\/denyhosts stop<\/pre>\n
    To remove or delete\u00a0banned IP<\/strong>\u00a0address completely. You need to edit the following files and remove the IP address.<\/p>\n
    # vi \/etc\/hosts.deny\r\n# vi \/var\/lib\/denyhosts\/hosts\r\n# vi \/var\/lib\/denyhosts\/hosts-restricted\r\n# vi \/var\/lib\/denyhosts\/hosts-root\r\n# vi \/var\/lib\/denyhosts\/hosts-valid\r\n# vi \/var\/lib\/denyhosts\/users-hosts<\/pre>\n
    After removing the banned IP Address, restart the service again.<\/p>\n
    # \/etc\/init.d\/denyhosts start<\/pre>\n
    The offending IP address added to all the files under\u00a0\/var\/lib\/denyhosts<\/strong>\u00a0directory, so it\u2019s makes very difficult to determine the which files contain the offending IP address. One of the best way to find out the IP address using\u00a0grep command<\/strong>. For example to find out IP address\u00a0172.16.25.125<\/strong>, do.<\/p>\n
    cd \/var\/lib\/denyhosts\r\ngrep 172.16.25.125 *<\/pre>\n
    Whitelist IP Addresses Permanently in DenyHosts<\/h3>\n
    If you\u2019ve list of static IP address that you want to whitelist permanently. Open the file\u00a0\/var\/lib\/denyhosts\/allowed-hosts<\/strong>\u00a0file. Whatever IP address included in this file will not be banned by default (consider this as a whilelist).<\/p>\n
    # vi \/var\/lib\/denyhosts\/allowed-hosts<\/pre>\n
    And add the each IP address on separate line. Save and close the file.<\/p>\n
    # We mustn't block localhost\r\n127.0.0.1\r\n172.16.25.125\r\n172.16.25.126\r\n172.16.25.127<\/pre>\n
    Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
    DenyHosts\u00a0is an open source and free log-based intrusion prevention security program for\u00a0SSH\u00a0servers developed in\u00a0Python\u00a0language by\u00a0Phil Schwartz. It is intended to monitor and analyzes SSH server logs for invalid login attempts, dictionary based attacks and brute force attacks by blocking the originating\u00a0IP\u00a0addresses by adding an entry to\u00a0\/etc\/hosts.deny\u00a0file on the server and prevents the IP address from … <\/p>\n
    Continue reading “Block SSH Server Attacks (Brute Force Attacks) Using DenyHosts”<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-11539","post","type-post","status-publish","format-standard","hentry","category-linux"],"_links":{"self":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts\/11539","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/comments?post=11539"}],"version-history":[{"count":1,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts\/11539\/revisions"}],"predecessor-version":[{"id":11540,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts\/11539\/revisions\/11540"}],"wp:attachment":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/media?parent=11539"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/categories?post=11539"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/tags?post=11539"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}