Red Hat / Centos Install Denyhosts To Block SSH Attacks / Hacking

by on August 8, 2007 · 7 comments· LAST UPDATED August 17, 2009

in , ,

How do I block and stop attacks on ssh server under CentOS Linux or Red Hat Enterprise Linux server 5.x?

You can easily thwart SSH server attacks including dictionary based attacks and brute force attacks using denyhosts software.

It is a Python based script that analyzes the sshd server log messages to determine what hosts are attempting to hack into your system.

Step #1: Enable Rpmforge Repo

First, enable rpoforge repo. For 32bit CentOS / RHEL Linux enter:
# rpm -Uhv http://apt.sw.be/packages/rpmforge-release/rpmforge-release-0.3.6-1.el5.rf.i386.rpm
For 64 bit CentOS / RHEL 5 Linux, enter:
# rpm -Uhv http://apt.sw.be/packages/rpmforge-release/rpmforge-release-0.3.6-1.el5.rf.x86_64.rpm

Step #2: Install Denyhosts

Type the following command:
# yum -y install denyhosts

Step #3: Configure Denyhosts

The default configuration file is located at /etc/denyhosts/denyhosts.cfg.

Allow Your Computer To Access sshd

You need to setup a whitelist so that you never want to block yourself using this script. Edit /etc/hosts.allow, enter:
# vi /etc/hosts.allow
Allow sshd from 202.54.1.2 and 203.51.2.3:

sshd: 202.54.1.2 203.51.2.3

Save and close the file.

Setup Alert Email ID

Edit /etc/denyhosts/denyhosts.cfg, enter:
# vi /etc/denyhosts/denyhosts.cfg
If you would like to receive emails regarding newly restricted hosts and suspicious logins, set this address to match your email address. If you do not want to receive these reports # leave this field blank (or run with the --noemail option). Multiple email addresses can be delimited by a comma, eg:
ADMIN_EMAIL = vivek@nixcraft.co.in, vivek@nixcraft.net.in

ADMIN_EMAIL = vivek@dsl.nixcraft.net.in

Save and close the file. Here is my own sample configuration file for RHEL / CentOS 5.x server / vps box - config file is documented very well, just open and read it:

       ############ THESE SETTINGS ARE REQUIRED ############
SECURE_LOG = /var/log/secure
HOSTS_DENY = /etc/hosts.deny
PURGE_DENY = 7d
BLOCK_SERVICE  = sshd
DENY_THRESHOLD_INVALID = 5
DENY_THRESHOLD_VALID = 10
DENY_THRESHOLD_ROOT = 1
DENY_THRESHOLD_RESTRICTED = 1
WORK_DIR = /usr/share/denyhosts/data
SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES
HOSTNAME_LOOKUP=YES
LOCK_FILE = /var/lock/subsys/denyhosts
       ############ THESE SETTINGS ARE OPTIONAL ############
ADMIN_EMAIL = vivek@dsl.nixcraft.net.in
SMTP_HOST = localhost
SMTP_PORT = 25
SMTP_FROM = DenyHosts <nobody@localhost>
SMTP_SUBJECT = DenyHosts Report
AGE_RESET_VALID=5d
AGE_RESET_ROOT=25d
AGE_RESET_RESTRICTED=25d
AGE_RESET_INVALID=10d
   ######### THESE SETTINGS ARE SPECIFIC TO DAEMON MODE  ##########
DAEMON_LOG = /var/log/denyhosts
 
DAEMON_SLEEP = 30s
DAEMON_PURGE = 1h
   #########   THESE SETTINGS ARE SPECIFIC TO     ##########
   #########       DAEMON SYNCHRONIZATION         ##########
 

Turn On Denyhosts

Type the following commands:
# chkconfig denyhosts on
# service denyhosts start

How do I view Denyhosts Log?

Type the command:
# tail -f /var/log/denyhosts
# tail -f /var/log/secure

See Also:

Recommend Readings:

  1. Debian Linux Stop SSH User Hacking / Cracking Attacks with DenyHosts Software
  2. Top 20 OpenSSH Server Best Security Practices
  3. Denyhosts project
TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 7 comments… read them below or add one }

1 jeffatrackaid January 28, 2010 at 1:15 am

DenyHosts is subject to log based attacks. See http://www.ossec.net/main/attacking-log-analysis-tools for more info.

I prefer to use rate limiting SSH rules to block SSH attacks.

Reply

2 John Lindley October 7, 2010 at 3:03 pm

The links have changed:

rpm -Uhv http://apt.sw.be/redhat/el5/en/i386/rpmforge/RPMS/rpmforge-release-0.5.1-1.el5.rf.i386.rpm
rpm -Uhv http://apt.sw.be/redhat/el5/en/x86_64/rpmforge/RPMS/rpmforge-release-0.5.1-1.el5.rf.x86_64.rpm

Reply

3 Marty September 9, 2011 at 5:34 pm

thanks it worked i’m a newbe so all the help i get from most of you guys is great again thanks

Reply

4 Nick Maxwell October 14, 2010 at 2:29 pm

The article at http://www.ossec.net/main/attacking-log-analysis-tools is worth following.

It appears that the patch is not currently available for denyhosts to stop a DoS attack using remote log injection. The solution though is a simple fix – from the article, change the /usr/lib/python2.4/site-packages/DenyHosts/regex.py

From
FAILED_ENTRY_REGEX5 = re.compile(r"""User (?P.*) .*from (?P.*) not allowed because none of user's groups are listed in AllowGroups""")

To
FAILED_ENTRY_REGEX5 = re.compile(r"""User (?P.*) .*from (?P.*) not allowed because none of user's groups are listed in AllowGroups$""")

Reply

5 Linux newbie November 10, 2010 at 11:39 am

Thanks for walk through and subsequent comments. Just made my server a little more secure :-)

Reply

6 poly1 April 23, 2011 at 6:45 am

Just an fyi on this, BE CAREFUL. I Installed the RPMforge release, did the tutorial, added my IP to the hosts.allow file and restarted the service. It worked fine for a few minutes, but as soon as I disconnected and reconnected to my server it blacklisted my IP. I can still connect via FTP, but not as root, and SFTP/ssh are completely blocked. it’s done this several times. I did some Googling and it seems like this is happening to other people as well. It’s not a big deal if you have physical access to your server, but I’m renting a VPS, so I guess this means I’m calling my host :(

Reply

7 Steve Dibb September 26, 2011 at 4:52 pm

You can avoid that by adding your IP address to /etc/hosts.allow.

ALL: 1.2.3.4

Reply

Leave a Comment

Tagged as: , , , , , , , , , , , , , , , , , , , , , ,

Previous Faq:

Next Faq: