How to install denyhosts on Ubuntu Linux 16.04 LTS ( intrusion prevention security tool )

I host my blog in cloud server, and I set up ssh to manage my Ubuntu Linux 16.04 LTS server. However, I noticed lots of break in and brute-force attacks on my ssh server? How can I stop hacking attempts into my system?

You need to use DenyHosts which is a log-based intrusion prevention security tool for SSH servers written in Python. It is designed to prevent brute-force attacks on SSH servers by monitoring invalid login attempts in the authentication log and blocking the originating IP addresses using /etc/hosts.deny and iptables on Linux server. In this tutorial, you will learn how to install DenyHosts a python program that automatically blocks ssh attacks by adding entries to /etc/hosts.deny file.

Step 1 – Install denyhosts

Type the following apt-get command or apt command to install denyhosts on a Ubuntu Linux:
$ sudo apt-get install denyhosts
OR
$ sudo apt install denyhosts
Sample outputs:

Fig.01: How To Install DenyHosts On Ubuntu or Debian Linux Server

Step 2 – White list your own IP address

Edit the /etc/hosts.allow file, and add your client IP address. This ensures that you are not blocked accidentally:
$ sudo vi /etc/hosts.allow
The syntax is as follows:

sshd: whitelist-ip1, whitelist-ip2, ...., whitelist-ipN

For example, white list 202.54.1.1 and 203.54.2.3, enter:

sshd: 202.54.1.1 , 203.54.2.3

Save and close the file.

Step 3 – Configure denyhosts using /etc/denyhosts.conf

In a Debian or Ubuntu Linux based system, the default running mode is daemon mode and the configuration file is /etc/denyhosts.conf:
$ sudo vi /etc/denyhosts.conf
Make sure SECURE_LOG set as follows:

SECURE_LOG = /var/log/auth.log

HOSTS_DENY set as follows:

HOSTS_DENY = /etc/hosts.deny

To block only sshd:

BLOCK_SERVICE  = sshd

Set deny threshold limit for login attempts:

DENY_THRESHOLD_INVALID = 5
DENY_THRESHOLD_VALID = 10
DENY_THRESHOLD_ROOT = 1
DENY_THRESHOLD_RESTRICTED = 1

To block incoming connections using the Linux firewall IPTABLES:

IPTABLES = /sbin/iptables

Save and close the file.

Restart the denyhosts service

Type the following command on Ubuntu Linux 16.04 LTS or newer:
$ sudo systemctl restart denyhosts.service
For older Ubuntu / Debian Linux / Non-systemd based system, enter:
$ sudo /etc/init.d/denyhosts restart

Enable the denyhosts service on Ubuntu Linux 16.04 LTS on boot time

Type the following command:
$ sudo systemctl enable denyhosts.service
Sample outputs:

Synchronizing state of denyhosts.service with SysV init with /lib/systemd/systemd-sysv-install...
Executing /lib/systemd/systemd-sysv-install enable denyhosts

Step 4 – Watch for /var/log/denyhosts log file for errors

Type the following grep command:
$ sudo grep 'something' /var/log/denyhosts
OR tail command:
$ sudo tail -f /var/log/denyhosts
Sample outputs:

2017-02-10 18:23:37,811 - denyhosts   : INFO     restricted: set([])
2017-02-10 18:23:37,812 - AllowedHosts: WARNING  Couldn't load warned hosts from /var/lib/denyhosts/allowed-warned-hosts
2017-02-10 18:23:37,812 - denyhosts   : INFO     launching DenyHosts daemon (version 2.10)...
2017-02-10 18:23:37,813 - denyhosts   : INFO     DenyHost daemon is now running, pid: 25774
2017-02-10 18:23:37,813 - denyhosts   : INFO     send daemon process a TERM signal to terminate cleanly
2017-02-10 18:23:37,813 - denyhosts   : INFO       eg.  kill -TERM 25774
2017-02-10 18:23:37,814 - denyhosts   : INFO     monitoring log: /var/log/auth.log
2017-02-10 18:23:37,814 - denyhosts   : INFO     sync_time: 3600
2017-02-10 18:23:37,814 - denyhosts   : INFO     purging of /etc/hosts.deny is disabled
2017-02-10 18:23:37,814 - denyhosts   : INFO     denyhost synchronization disabled

Step 5 – How to see a list of blocked hosts

Type the following cat command:
$ sudo cat /etc/hosts.deny
Sample outputs:

Fig.02: How to see a list of IP address blocked by DenyHosts on Linux or Unix

Please note that the DenyHosts is restricted to connections using IPv4. It does not work with IPv6 based IP address. Another option is to use the iptables command to see blocked IP address:

$ sudo iptables -L INPUT -n -v

$ sudo iptables -L INPUT -n -v | more

$ sudo iptables -L INPUT -n -v | grep DROP

Sample outputs:

Chain INPUT (policy DROP 526 packets, 103K bytes)
    0     0 DROP       all  --  *      *       193.201.224.199      0.0.0.0/0           
   24  1272 DROP       all  --  *      *       75.146.185.254       0.0.0.0/0           
    0     0 DROP       all  --  *      *       78.56.6.211          0.0.0.0/0           
   80  4744 DROP       all  --  *      *       60.250.157.222       0.0.0.0/0           
 2342  122K DROP       all  --  *      *       123.30.37.44         0.0.0.0/0           
    0     0 DROP       all  --  *      *       163.172.87.229       0.0.0.0/0

How do I enable centralized synchronization support?

The DenyHosts version 2.0 and above support centralized synchronization, so that repeat offenders are blocked from many computers. The site xmlrpc.denyhosts.net gathers statistics from computers running the software. Synchronization disabled by default. To enable synchronization, enter:
$ sudo vi /etc/denyhosts.conf
Set config option as follows:

SYNC_SERVER = http://xmlrpc.denyhosts.net:9911

Save and close the file. Type the following command on Ubuntu Linux 16.04 LTS or newer to restart the service:
$ sudo systemctl restart denyhosts.service
For older Ubuntu / Debian Linux / Non-systemd based system, type the following command to restart the service:
$ sudo /etc/init.d/denyhosts restart

How do I start denyhosts service?

Type the following command on Ubuntu Linux 16.04 LTS or newer to start the service:
$ sudo systemctl start denyhosts.service
For older Ubuntu / Debian Linux / Non-systemd based system, type the following command to start the service:
$ sudo /etc/init.d/denyhosts start

How do I stop denyhosts service?

Type the following command on Ubuntu Linux 16.04 LTS or newer to stop the service:
$ sudo systemctl stop denyhosts.service
For older Ubuntu / Debian Linux / Non-systemd based system, type the following command to stop the service:
$ sudo /etc/init.d/denyhosts stop

Other suggestions to secure OpenSSH server

Disable root login
Disable password based login
Use ssh-keybased login
See “Top 20 OpenSSH Server Best Security Practices” for more information.

For more information see denyhosts project home page.

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin and a trainer for the Linux operating system/Unix shell scripting. He has worked with global clients and in various industries, including IT, education, defense and space research, and the nonprofit sector. Follow him on Twitter, Facebook, Google+.

6 comment

Sagamir says:

February 12, 2017 at 11:08 am

I use fail2ban – are there any advantages of using denyhosts?
1. Júnior Garcia says:
  
  February 13, 2017 at 1:21 am
  
  Good point…
Dirar says:

February 12, 2017 at 11:30 am

Why not use CSF? It’s a complete solution and works for everything, not just SSH
Julien Turbide says:

February 12, 2017 at 4:31 pm

I like to install ConfigServer Security & Firewall (csf)
https://configserver.com/cp/csf.html
Izad says:

February 13, 2017 at 11:38 am

I use fail2ban – does the job well. Looks to me it is more easy and straight-forward than denyhosts.
1. Winston Sorfleet says:
  
  February 13, 2017 at 5:09 pm
  
  Agree on fail2ban, and I am not keen on the denyhosts solution of dynamically changing contents under /etc.

Comments are closed.