Debian Linux Stop SSH User Hacking / Cracking Attacks with DenyHosts Software

by on February 4, 2008 · 11 comments· LAST UPDATED October 10, 2010

in , ,

I've noticed lots of failed login attempt for my Debian Linux VPS root server account. How do I stop automated bot based SSH attacks on my server?

You can use DenyHosts - a Python based script that analyzes the sshd server log messages to determine what hosts are attempting to hack into your system. It is an utility to help sys admins thwart ssh crackers. It also determines what user accounts are being targeted. It keeps track of the frequency of attempts from each host. It will automatically blocks ssh attacks by adding entries to /etc/hosts.deny. DenyHosts will also inform Linux administrators about offending hosts, attacked users and suspicious logins.

Step # 1: Make Sure Python is installed

First, make sure python is installed under Debian / Ubuntu Linux:
# dpkg --list | grep python2
Find out version (DenyHosts requires 2.3 or above version)
$ python -V
Output:
Python 2.5.1

Step # 2: Download DenyHosts

Visit official project home page to grab latest source code or packages. Use apt-get command under Debian / Ubuntu Linux, enter
$ sudo apt-get install denyhosts

DenyHosts configuration - /etc/denyhosts.conf

  1. The default configuration file is /etc/denyhosts.conf.
  2. You also need to create / update a whitelist in /etc/hosts.allow. For example, if you have static IP assigned by ISP, enter in this file. You can add all the important hosts that you never want blocked.

Step # 1: Setup a whitelist

Open /etc/hosts.allow:
# vi /etc/hosts.allow
Allow sshd from 202.54.1.2 i.e. you never want to block yourself
sshd: 202.54.1.2
Save and close the file. Verify and examines your tcp wrapper configuration file and reports all potential and real problems:
# tcpdchk -v

Step # 1: Configure DenyHosts

Open default configuration file - /etc/denyhosts.conf, enter:
# vi /etc/denyhosts.conf
Setup your email ID so you would receive emails regarding newly restricted hosts and suspicious logins, set this address to match your email address.
ADMIN_EMAIL = vivek@nixcraft.com
Save and close the file. Here is my own sample configuration file for Debian Linux 4.0 server (config file is documented very well, just open and read it):

############ THESE SETTINGS ARE REQUIRED ############
SECURE_LOG = /var/log/auth.log
HOSTS_DENY = /etc/hosts.deny
PURGE_DENY =
BLOCK_SERVICE  = sshd
DENY_THRESHOLD_INVALID = 5
DENY_THRESHOLD_VALID = 10
DENY_THRESHOLD_ROOT = 1
DENY_THRESHOLD_RESTRICTED = 1
WORK_DIR = /var/lib/denyhosts
SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES
HOSTNAME_LOOKUP=YES
LOCK_FILE = /var/run/denyhosts.pid
############ THESE SETTINGS ARE OPTIONAL ############
ADMIN_EMAIL = vivek@nixcraft.org
SMTP_HOST = localhost
SMTP_PORT = 25
SMTP_FROM = DenyHosts <webmaster@cyberciti.com>
SMTP_SUBJECT = DenyHosts Report
AGE_RESET_VALID=5d
AGE_RESET_ROOT=25d
AGE_RESET_RESTRICTED=25d
AGE_RESET_INVALID=10d
######### THESE SETTINGS ARE SPECIFIC TO DAEMON MODE  ##########
DAEMON_LOG = /var/log/denyhosts
DAEMON_SLEEP = 30s
DAEMON_PURGE = 1h

Restart the daemon:
# /etc/init.d/denyhosts restart

See Also:

Further readings:

TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 11 comments… read them below or add one }

1 kunal February 13, 2008 at 6:10 am

Locking out IP’s after multiple failed sshd login attempts

The following two rules will limit incoming connections to port 22 to no more than 3 attempts in a minute – an more than that will be dropped:

iptables -I INPUT -p tcp –dport 22 -i eth0 -m state –state NEW -m recent –set
iptables -I INPUT -p tcp –dport 22 -i eth0 -m state –state NEW -m recent –update –seconds 60 –hitcount 4 -j DROP

Reply

2 NoPremium.org April 13, 2008 at 5:43 pm

thanks a lot

Reply

3 LQman April 19, 2008 at 10:08 pm

@kunal

You may need to install fail2ban package.
It’s so simple script that work like your description above.

Reply

4 Yarg February 24, 2012 at 5:07 am

Like LQman says
apt-get install fail2ban
By default it automatically bans IPs after 6 failed login attempts within 5 min for 5 min. If you use “PermitRootLogin no” for your ssh server there is little chance of anybody guessing both username & password. It also works for any other connection and has default configs for most services.

Reply

5 budacsik September 21, 2008 at 11:31 am

sshdfilter also good :)
It use iptables.

Reply

6 Mehdi July 28, 2009 at 10:54 am

Thanks a lot for the info.
You’d be surprised if you looked at /var/log/auth.log file as I was.

I found a little widget that you can run to grep the IP addresses of intruders;
grep ‘from’ /var/log/auth.log|cut -d ‘ ‘ –field=13|uniq -c|sort -nr > ct-result.txt

Here I put the result from column 13th into a text file called ct-result.txt
you can see most of the IP addresses which were trying to break in.
sometimes it is the 14th column so I have not found a perfect way to grab all the IP addresses yet, if anyone has a better idea please post.

In any case I also get the result and put them in my hosts.deny file under /etc/
(again I have problem as to How to input these IP addresses in hosts.deny file, some say you have to put a slash at the end of the IP addresses? Not sure?)
like;
64.70.12.230\
or
210.51.51.*\
(these are actual chinese addresses trying to hack my system lol) :D
Many Thanks for the info.
I am going to test denyhost program on my workstation now.

Reply

7 Al B.. January 27, 2010 at 2:48 pm

I did the same thing as Mehdi using a cron.hourly\perl script…. then I used UFW to deny the host IP. I wish I knew about this article earlier….

Reply

8 rohit August 12, 2010 at 3:00 am

sorry,
but i can’t get that.

Reply

9 Tapas Mishra October 21, 2010 at 3:06 pm

Well the above command
tcpdchk -v gives me an error

Cannot find your inetd.conf or tlid.conf file.
Please specify its location.

Reply

10 Sam Tuke May 27, 2011 at 2:17 pm

For the rest of us whose ISPs allocate dynamic IP ranges, to ensure that you yourself never get blocked by denyhosts define IP ranges in hosts.allow like this:

sshd: 80.0.0.0/83.0.0.0

Also remember that if you use key authentication to login rather than passwords then you are unlikely to ever supply incorrect details, and therefore should not be at risk of ever blocking yourself, even if you don’t specify your IP in hosts.allow.

Reply

11 Robert May 7, 2013 at 8:46 am

Well, what if your own IP address is dynamic? Then the entire DenyHosts becomes a piece of useless garbage?

Reply

Leave a Comment

Tagged as: , , , , , , , , , , , , , , , , ,

Previous Faq:

Next Faq: