Retarded Kids

A bruteforce attack is an attempt at getting past a login request by repeatedly entering combinations of words, letters, and numbers found in a dictionary file created by the attacker. Blocking these attacks may seem unnecessary for a system administrator with a complex password; however, putting a stop to them not only keeps your system more secure but it will save bandwidth in the long run and also cut down on those lengthy login failed security e-mails.

DenyHosts is a wonderful tool for blocking these bruteforce attacks on your SSH daemon. It works by scanning through your authlog, finding the IPs that constantly try to enter your server and fail, and then denying them SSH access to the server.

[More:]

Prerequisites

The requirements for running DenyHosts are:
Python v2.3 (or greater)
SSHD server configured with tcp_wrappers support enabled

The example server used for this walkthrough is a FreeBSD system with OpenSSH so the guide will mainly be tailored to setting this up on a FreeBSD 6.x system. This does not mean you're out of luck if you're running another unix based environment because these steps will still work with little modification.

The Setup

First things first, make sure that you have Python and OpenSSH installed on your system. Reading the rest of this guide will be an utter waste of your time otherwise. This can be accomplished by issuing these commands:

baku# pkg_info | grep python-2
python-2.4.3 An interpreted object-oriented programming language
baku# pkg_info | grep openssh
openssh-portable-overwrite-base-4.3.p2_1,1 The portable version of OpenBSD's OpenSSH
baku#

This shows us that both packages are installed. If they aren't installed on your system, a walkthrough on doing this is outside the scope of this article but can be found with a simple Google search.

The Install

DenyHosts has been added to the BSD portstree which makes the installation step a lot easier for us. Navigate your way to the ports directory and issue a quick make install clean to get things going like so:

baku# whereis denyhosts
denyhosts: /usr/ports/security/denyhosts
baku# cd /usr/ports/security/denyhosts
baku# make install clean

After that finishes we move on to the next step. We need to navigate our way to the install directory and set up the config file. There are plenty of options, but to get a default install of DenyHosts working we only need to edit a few. This can be accomplished by following these steps:

baku# cd /usr/local/share/denyhosts/
baku# ls
daemon-control-dist denyhosts.cfg-dist plugins scripts setup.py
baku# cp denyhosts.cfg-dist denyhosts.cfg
baku# ee denyhosts.cfg

Just browse through this file making sure the options are set to your satisfaction. Most of the portions of this config file don't have to be changed to get it running, but there is one item you need to modify. This item is the block method. You will need to edit it to look like this:

# To block all services for the offending host:
#BLOCK_SERVICE = ALL
# To block only sshd:
BLOCK_SERVICE = sshd

You'll notice I uncommented sshd. What this option does is tell your system which protocols to block the listed IPs on. If you don't want the offending IP to have any access to your system at all, uncomment the 'BLOCK_SERVICE = ALL' line.

One other thing I like to setup is the sync server. This allows you to sync your banned IP list with other servers and download a copy of their list as well. Pretty neat if you ask me but this isn't a mandatory setting. This is accomplished by uncommenting the SYNC_SERVER line like this:

# To enable synchronization, you must uncomment the following line:
SYNC_SERVER = http://xmlrpc.denyhosts.net:9911

The rest of the config file is pretty self-explanatory. Once you have all your options set like you'd like, save and exit your config file. Now we will want to copy our daemon control to the local rc.d directory. After that we need to create the data file to store the ip's in and edit our hosts.allow file:

baku# cp daemon-control-dist /usr/local/etc/rc.d/denyhosts_daemon.py
baku# touch /etc/hosts.deniedssh
baku# ee /etc/hosts.allow

Be very careful editing the hosts.allow file as you could lock yourself out of your server if you are accessing it remotely. If you have never accessed this file there is a good chance that it is still in default configuration. This is good as we need to add a small edit to the top of the file. You might also want to add your own ip here to prevent blacklisting of your ip by accident. I can not stress enough how careful you need to be when editing this file. It should look something like this:

sshd : (YOUR IP HERE) : allow
sshd : /etc/hosts.deniedssh : deny
sshd : ALL : allow

The Finish

Our final step is to start the DenyHosts daemon. The syntax to do this is:

baku# /usr/local/etc/rc.d/denyhosts_daemon.py start
starting DenyHosts: /usr/local/bin/denyhosts.py --daemon --config=/usr/local/share/denyhosts/denyhosts.cfg
baku#

You can now tail your /var/log/denyhosts log file or cat your /etc/hosts.deniedssh file to watch DenyHosts in action. Sit back and relax because your worries about bruteforce attacks are over. Enjoy your bandwidth savings and smaller security emails.

Resources

DenyHosts

This post is licensed under a
Creative Commons License.