Redhat7:SSH Denyhosts

From Define Wiki
Jump to navigation Jump to search

Introduction

DenyHosts is a script intended to be running by Linux system administrators in order to help thwart SSH server attacks (also known as dictionary based attacks and brute force attacks). Thanks to its simplicity and the ability to manually configure the rules DenyHost is widely used as an alternative to Fail2ban which is a bit more complicated to use and configure.


DenyHosts is an open source and free log-based intrusion prevention security program for SSH servers developed in Python language. It is intended to monitor and analyze SSH server logs for invalid login attempts, dictionary based attacks and brute force attacks by blocking the originating IP addresses via the adding of an entry to /etc/hosts.deny file on the server and prevents the IP address from making any further such login attempts.


Features

From its various features we list the following ones from its official site.

  • Parses /var/log/secure to find all login attempts and filters failed and successful attempts.
  • Synchronization mode (new in 2.0) allows DenyHosts daemons the ability to share data via a centralized server to proactively thwart attacks.
  • Can be run from the command line, cron or as a daemon (new in 0.9)
  • Records all failed login attempts for the user and offending host
  • For each host that exceeds a threshold count, records the evil host
  • Keeps track of each non-existent user (eg. sdadasd) when a login attempt failed.
  • Keeps track of each existing user (eg. root) when a login attempt failed.
  • Keeps track of each offending host (with 0.8+ these hosts can be purged if the associated entry in /etc/hosts.deny is expired)
  • Keeps track of suspicious logins (that is, logins that were successful for a host that had many login failures)
  • Keeps track of the file offset, so that you can reparse the same file (/var/log/secure) continuously (until it is rotated).
  • When the log file is rotated, the script will detect it and parse from the beginning.
  • Appends /etc/hosts.deny and adds the newly banned hosts
  • Optionally sends an email of newly banned hosts and suspicious logins.
  • Keeps a history of all user, host, user/host combo and suspicious logins encountered which includes the data and number of corresponding failed login attempts.
  • Maintains failed valid and invalid user login attempts in separate files, such that it is easy to see which valid user is under attack (which would give you the opportunity to remove the account, change the password or change it’s default shell to something like /sbin/nologin
  • Upon each run, the script will load the previously saved data and re-use it to append new failures.
  • Resolves IP addresses to hostnames, if available (new in v0.6.0).
  • /etc/hosts.deny entries can be expired (purge) at a user specified time (new in 0.8)
  • FreeBSD support (added in 0.7)

Installing with Centos 7

  • SElinux disabled (probably not the best idea but was disabled by deafult when i started playing with the server)
# Install EPEL and Denyhosts
 yum install epel-release 
 yum install denyhosts

Lets configure; Setup the hosts.allow to add your/our own IP 

[root@vscaler-website ~]# cat /etc/hosts.allow 
#
# hosts.allow	This file contains access rules which are used to
#		allow or deny connections to network services that
#		either use the tcp_wrappers library or that have been
#		started through a tcp_wrappers-enabled xinetd.
#
#		See 'man 5 hosts_options' and 'man 5 hosts_access'
#		for information on rule syntax.
#		See 'man tcpd' for information on tcp_wrappers
#
sshd: 77.89.144.30

Lets start the denyhosts service now; 

systemctl restart denyhosts

And we can check in our deny.hosts for bad IPs 

[root@vscaler-website ~]# cat /etc/hosts.deny 
#
# hosts.deny	This file contains access rules which are used to
#		deny connections to network services that either use
#		the tcp_wrappers library or that have been
#		started through a tcp_wrappers-enabled xinetd.
#
#		The rules in this file can also be set up in
#		/etc/hosts.allow with a 'deny' option instead.
#
#		See 'man 5 hosts_options' and 'man 5 hosts_access'
#		for information on rule syntax.
#		See 'man tcpd' for information on tcp_wrappers
#
# DenyHosts: Mon Feb 22 14:12:52 2016 | sshd: 129.144.24.94
sshd: 129.144.24.94
# DenyHosts: Mon Feb 22 14:12:52 2016 | sshd: 125.88.177.90
sshd: 125.88.177.90
# DenyHosts: Mon Feb 22 14:12:52 2016 | sshd: 113.195.145.85
sshd: 113.195.145.85
# DenyHosts: Mon Feb 22 14:12:52 2016 | sshd: 146.0.77.66
sshd: 146.0.77.66
# DenyHosts: Mon Feb 22 14:12:52 2016 | sshd: 212.83.170.26
sshd: 212.83.170.26
# DenyHosts: Mon Feb 22 14:12:52 2016 | sshd: 185.93.187.109
sshd: 185.93.187.109
# DenyHosts: Mon Feb 22 14:12:52 2016 | sshd: 185.110.132.54
sshd: 185.110.132.54
# DenyHosts: Mon Feb 22 14:12:52 2016 | sshd: 94.102.63.158
sshd: 94.102.63.158
# DenyHosts: Mon Feb 22 14:12:52 2016 | sshd: 123.196.117.70
sshd: 123.196.117.70
# DenyHosts: Mon Feb 22 14:12:52 2016 | sshd: 198.12.148.138
sshd: 198.12.148.138
# DenyHosts: Mon Feb 22 14:12:52 2016 | sshd: 104.209.141.122
sshd: 104.209.141.122
# DenyHosts: Mon Feb 22 14:12:52 2016 | sshd: 111.207.243.73
sshd: 111.207.243.73
# DenyHosts: Mon Feb 22 14:12:52 2016 | sshd: 113.190.7.72
sshd: 113.190.7.72
Retrieved from "http://wiki.define-technology.com/mediawiki-1.35.0/index.php?title=Redhat7:SSH_Denyhosts&oldid=12191"