Block SSH Server Attacks (Brute Force Attacks) Using DenyHosts

Block SSH Server Attacks (Brute Force Attacks) Using DenyHosts

Block SSH Server Attacks (Brute Force Attacks) Using DenyHosts:

DenyHosts is an open source and free log-based intrusion prevention security program for SSH servers. DenyHosts is much needed tool for all Linux based systems, specially when we are allowing password based ssh logins. DenyHosts is a security tool written in python that screens and analyzes down server access logs for invalid login attempts on a virtual private server.

Install Epel Repository:

We need to install it using third party repository, use Followning command to installl it.

CentOS/RHEL 7 64bit:
# rpm -Uvh http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-5.noarch.rpm
CentOS/RHEL 6 64bit:
# rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
CentOS/RHEL 6, 32 Bit:
# rpm -Uvh http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm
CentOS/RHEL 5 64bit:
# rpm -Uvh http://dl.fedoraproject.org/pub/epel/5/x86_64/epel-release-5-4.noarch.rpm
CentOS/RHEL 5, 32 Bit:
# rpm -Uvh http://dl.fedoraproject.org/pub/epel/5/i386/epel-release-5-4.noarch.rpm

Install DenyHosts:

Once Epel repository added, install the package using following YUM command:

# yum --enablerepo=epel install denyhosts
OR
# yum install denyhosts

Whitelist IP Addresses:

Once the Denyhosts installed, make sure that your own IP address is whitelist, so you will never get locked out.

# vim /etc/hosts.allow
Below the description, add the each IP address one-by-one on a separate line, that you never want to block. The format should be as follows.

#
# hosts.allow   This file contains access rules which are used to
#               allow or deny connections to network services that
#               either use the tcp_wrappers library or that have been
#               started through a tcp_wrappers-enabled xinetd.
#
#               See 'man 5 hosts_options' and 'man 5 hosts_access'
#               for information on rule syntax.
#               See 'man tcpd' for information on tcp_wrappers
#
sshd: 28.119.25.113
sshd: 28.119.25.114
sshd: 28.119.25.115
sshd: 28.119.25.116

Blacklist IP Addresses:

Add the IP address which you want to block. Make sure that IP address is in the blacklist is not your IP address.

# vim /etc/hosts.deny
#
# hosts.deny    This file contains access rules which are used to
#               deny connections to network services that either use
#               the tcp_wrappers library or that have been
#               started through a tcp_wrappers-enabled xinetd.
#
#               The rules in this file can also be set up in
#               /etc/hosts.allow with a 'deny' option instead.
#
#               See 'man 5 hosts_options' and 'man 5 hosts_access'
#               for information on rule syntax.
#               See 'man tcpd' for information on tcp_wrappers
#
sshd: 28.119.25.117
sshd: 28.119.25.118

Configuring DenyHosts for Email Alerts:

We can send email alerts about suspicious logins and restricted hosts by making changes in a DenyHosts configuration file. Find ADMIN_EMAIL and add your email address here to receive email alerts about suspicious logins (for multiple email alerts use comma separated).

# vim /etc/denyhosts.conf
############ DENYHOSTS REQUIRED SETTINGS ############
SECURE_LOG = /var/log/secure
HOSTS_DENY = /etc/hosts.deny
BLOCK_SERVICE  = sshd
DENY_THRESHOLD_INVALID = 5
DENY_THRESHOLD_VALID = 10
DENY_THRESHOLD_ROOT = 1
DENY_THRESHOLD_RESTRICTED = 1
WORK_DIR = /var/lib/denyhosts
SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES
HOSTNAME_LOOKUP=YES
LOCK_FILE = /var/lock/subsys/denyhosts

############ DENYHOSTS OPTIONAL SETTINGS ############
ADMIN_EMAIL = support@linuxmasterswiki.com
SMTP_HOST = localhost
SMTP_PORT = 25
SMTP_FROM = DenyHosts <support@linuxmasterswiki.com>
SMTP_SUBJECT = DenyHosts Daily Report

############ DENYHOSTS OPTIONAL SETTINGS ############
DAEMON_LOG = /var/log/denyhosts
DAEMON_SLEEP = 30s
DAEMON_PURGE = 1h
</support@linuxmasterswiki.com>

Start DenyHosts Service:

Once you’ve finished with your configuration, restart the denyhosts service for new changes. We additionally add the denyhosts service to system start-up.

For CentOS/RHEL 5/6
# chkconfig denyhosts on
# service denyhosts start
For CentOS/RHEL 7
# systemctl enable denyhosts
# systemctl start denyhosts

DenyHosts Logs file:

To watch denyhosts ssh logs for how many attackers and hackers are attempted to gain access to your server. Use the following command to view the real-time logs.

# tail -f /var/log/secure

Output:

Oct  1 03:26:38 srv sshd[2637]: refused connect from 28.119.25.117 (28.119.25.117)
Oct  1 03:27:15 srv sshd[2674]: refused connect from 28.119.25.117 (28.119.25.117)
Oct  1 03:28:07 srv sshd[2695]: Connection closed by 127.0.0.1
Oct  1 03:36:00 srv sshd[2637]: refused connect from 28.119.25.118 (28.119.25.117)
Oct  1 03:36:10 srv sshd[2674]: refused connect from 28.119.25.118 (28.119.25.118)
Oct  1 03:36:15 srv sshd[2695]: Connection closed by 127.0.0.1
Oct  1 03:37:39 srv sshd[2967]: Accepted password for root from 28.119.25.113 port 9271 ssh2
Oct  1 03:37:40 srv sshd[2967]: pam_unix(sshd:session): session opened for user root by (uid=0)
Oct  1 03:38:10 srv sshd[2967]: Accepted password for root from 28.119.25.114 port 9272 ssh2
Oct  1 03:38:12 srv sshd[2967]: pam_unix(sshd:session): session opened for user root by (uid=0)

Remove Banned IP Address:

If you’ve ever blocked accidentally and want to remove that banned IP address. So first you need to stop the service.

For CentOS/RHEL 5/6
# service denyhosts stop
For CentOS/RHEL 7
# systemctl stop denyhosts

To remove or delete banned IP address completely. You need to remove the IP address from the following files.

# vim /etc/hosts.deny
# vim /var/lib/denyhosts/hosts
# vim /var/lib/denyhosts/hosts-restricted
# vim /var/lib/denyhosts/hosts-root
# vim /var/lib/denyhosts/hosts-valid
# vim /var/lib/denyhosts/users-hosts

After removing the banned IP Address, start the service again.

For CentOS/RHEL 5/6
# service denyhosts start
For CentOS/RHEL 7
# systemctl start denyhosts

Was this Tutorial helpful? Help others share on Facebook, Twitter, and Google Plus!

 

 
Enjoyed this video?
Block SSH Server Attacks (Brute Force Attacks) Using DenyHosts
"No Thanks. Please Close This Box!"