Secure your Linux box using denyhosts autoban November 28, 2010Posted by Tournas Dimitrios in Linux.
Here are some tips to make your Linux server safer from intruders. I have recently viewed my log files in linux and noticed a few hundreads failed logins from different hosts on my sshd service.
I wanted to secure it using iptables, but this reduced my mobility quite a lot. By denying packets from all hosts and accepting just from a few trusted ones, I ended up not being able to access my server from everywhere i want. So I started searching on the Internet for an alternative; and I found something called Deny Hosts, an open source project from Sourceforge. This python script is very useful, bringing many options that are an advantage in the fight against hackers.
It’s features include allowed and denied host list files that dynamically update by analyzing the attempts in service’s log files, e-mailing functions to notify you if something happens and a synchronization tool that gets all the hosts that were banned several times around the world and denies them on your server too.
Downloading the script :
To download the script, go to http://denyhosts.sourceforge.net/ or if you are using Fedore Core, try “yum install denyhosts” (on my box , Epel is on the repo – list ) .
Configuring the script :
After installing it, you need to edit it’s configuration file. This is tipically found in /usr/share/doc/denyhosts-xx, where xx is your current version. Open the file denyhosts.cfg-dist located here with an editor and edit all fields you may need.
Here are the most important ones:
#The path to your authentication log file
SECURE_LOG = /var/log/secure
#The path to the hosts denied to access the services
HOSTS_DENY = /etc/hosts.deny
#The time that a host is kept as denied if no other attack happens (eg. 1w = one week)
PURGE_DENY = 1d
#The desired services to be blocked for the denied hosts – you can set the service(s) name, ALL or blank for none
BLOCK_SERVICE = sshd
#Lookup the hostname of the denied IP
#Admin e-mail for sending triggered updates
SMTP_HOST = localhost
SMTP_PORT = 25
#Optional, just if you run send the mail using an external e-mail SMTP
#Daemon Log file
DAEMON_LOG = /var/log/denyhosts
#Daemon cycle time – period between new denied hosts check
DAEMON_SLEEP = 1800s
After checking all variables, save the file as a new one, called denyhosts.cfg.
Running it :
Now you can start your python script in three ways:
– One-time run – denyhosts.py –file /var/log/secure
– Daemon run – denyhosts.py –daemon
– Run it using cron to do the task periodically
Be sure that your run the script from the directory that contains the configuration file.
Now the Deny Hosts is up and running and will ban the intruders for you. If running in daemon mode, check the /etc/hosts.deny and /var/log/denyhosts from time to time to see if it’s all ok. This is an example of hosts.deny output:
# DenyHosts: Thu Jun 21 05:25:31 2007 | vsftpd: 220.127.116.11
# DenyHosts: Thu Jun 21 05:25:31 2007 | vsftpd: 18.104.22.168
# DenyHosts: Thu Jun 21 05:25:31 2007 | vsftpd: 22.214.171.124
# DenyHosts: Thu Jun 21 06:19:21 2007 | sshd: 192.168.0.100