You need to use DenyHosts which is a log-based intrusion prevention security tool for SSH servers written in Python. It is designed to prevent brute-force attacks on SSH servers by monitoring invalid login attempts in the authentication log and blocking the originating IP addresses using /etc/hosts.deny and iptables on Linux server. In this tutorial, you will learn how to install DenyHosts a python program that automatically blocks ssh attacks by adding entries to /etc/hosts.deny file.
Step 1 – Install denyhosts
Type the following apt-get command or apt command to install denyhosts on a Ubuntu Linux:
$ sudo apt-get install denyhosts
OR
$ sudo apt install denyhosts
Sample outputs:
Step 2 – White list your own IP address
Edit the /etc/hosts.allow file, and add your client IP address. This ensures that you are not blocked accidentally:
$ sudo vi /etc/hosts.allow
The syntax is as follows:
sshd: whitelist-ip1, whitelist-ip2, ...., whitelist-ipN
For example, white list 202.54.1.1 and 203.54.2.3, enter:
sshd: 202.54.1.1 , 203.54.2.3
Save and close the file.
Step 3 – Configure denyhosts using /etc/denyhosts.conf
In a Debian or Ubuntu Linux based system, the default running mode is daemon mode and the configuration file is /etc/denyhosts.conf:
$ sudo vi /etc/denyhosts.conf
Make sure SECURE_LOG set as follows:
SECURE_LOG = /var/log/auth.log |
HOSTS_DENY set as follows:
HOSTS_DENY = /etc/hosts.deny |
To block only sshd:
BLOCK_SERVICE = sshd |
Set deny threshold limit for login attempts:
DENY_THRESHOLD_INVALID = 5 DENY_THRESHOLD_VALID = 10 DENY_THRESHOLD_ROOT = 1 DENY_THRESHOLD_RESTRICTED = 1 |
To block incoming connections using the Linux firewall IPTABLES:
IPTABLES = /sbin/iptables |
Save and close the file.
Restart the denyhosts service
Type the following command on Ubuntu Linux 16.04 LTS or newer:
$ sudo systemctl restart denyhosts.service
For older Ubuntu / Debian Linux / Non-systemd based system, enter:
$ sudo /etc/init.d/denyhosts restart
Enable the denyhosts service on Ubuntu Linux 16.04 LTS on boot time
Type the following command:
$ sudo systemctl enable denyhosts.service
Sample outputs:
Synchronizing state of denyhosts.service with SysV init with /lib/systemd/systemd-sysv-install... Executing /lib/systemd/systemd-sysv-install enable denyhosts
Step 4 – Watch for /var/log/denyhosts log file for errors
Type the following grep command:
$ sudo grep 'something' /var/log/denyhosts
OR tail command:
$ sudo tail -f /var/log/denyhosts
Sample outputs:
2017-02-10 18:23:37,811 - denyhosts : INFO restricted: set([]) 2017-02-10 18:23:37,812 - AllowedHosts: WARNING Couldn't load warned hosts from /var/lib/denyhosts/allowed-warned-hosts 2017-02-10 18:23:37,812 - denyhosts : INFO launching DenyHosts daemon (version 2.10)... 2017-02-10 18:23:37,813 - denyhosts : INFO DenyHost daemon is now running, pid: 25774 2017-02-10 18:23:37,813 - denyhosts : INFO send daemon process a TERM signal to terminate cleanly 2017-02-10 18:23:37,813 - denyhosts : INFO eg. kill -TERM 25774 2017-02-10 18:23:37,814 - denyhosts : INFO monitoring log: /var/log/auth.log 2017-02-10 18:23:37,814 - denyhosts : INFO sync_time: 3600 2017-02-10 18:23:37,814 - denyhosts : INFO purging of /etc/hosts.deny is disabled 2017-02-10 18:23:37,814 - denyhosts : INFO denyhost synchronization disabled
Step 5 – How to see a list of blocked hosts
Type the following cat command:
$ sudo cat /etc/hosts.deny
Sample outputs:
Please note that the DenyHosts is restricted to connections using IPv4. It does not work with IPv6 based IP address. Another option is to use the iptables command to see blocked IP address:
$ sudo iptables -L INPUT -n -v
$ sudo iptables -L INPUT -n -v | more
$ sudo iptables -L INPUT -n -v | grep DROP
Sample outputs:
Chain INPUT (policy DROP 526 packets, 103K bytes)
0 0 DROP all -- * * 193.201.224.199 0.0.0.0/0
24 1272 DROP all -- * * 75.146.185.254 0.0.0.0/0
0 0 DROP all -- * * 78.56.6.211 0.0.0.0/0
80 4744 DROP all -- * * 60.250.157.222 0.0.0.0/0
2342 122K DROP all -- * * 123.30.37.44 0.0.0.0/0
0 0 DROP all -- * * 163.172.87.229 0.0.0.0/0
How do I enable centralized synchronization support?
The DenyHosts version 2.0 and above support centralized synchronization, so that repeat offenders are blocked from many computers. The site xmlrpc.denyhosts.net gathers statistics from computers running the software. Synchronization disabled by default. To enable synchronization, enter:
$ sudo vi /etc/denyhosts.conf
Set config option as follows:
SYNC_SERVER = http://xmlrpc.denyhosts.net:9911 |
Save and close the file. Type the following command on Ubuntu Linux 16.04 LTS or newer to restart the service:
$ sudo systemctl restart denyhosts.service
For older Ubuntu / Debian Linux / Non-systemd based system, type the following command to restart the service:
$ sudo /etc/init.d/denyhosts restart
How do I start denyhosts service?
Type the following command on Ubuntu Linux 16.04 LTS or newer to start the service:
$ sudo systemctl start denyhosts.service
For older Ubuntu / Debian Linux / Non-systemd based system, type the following command to start the service:
$ sudo /etc/init.d/denyhosts start
How do I stop denyhosts service?
Type the following command on Ubuntu Linux 16.04 LTS or newer to stop the service:
$ sudo systemctl stop denyhosts.service
For older Ubuntu / Debian Linux / Non-systemd based system, type the following command to stop the service:
$ sudo /etc/init.d/denyhosts stop
Other suggestions to secure OpenSSH server
- Disable root login
- Disable password based login
- Use ssh-keybased login
- See “Top 20 OpenSSH Server Best Security Practices” for more information.
For more information see denyhosts project home page.
6 comment
I use fail2ban – are there any advantages of using denyhosts?
Good point…
Why not use CSF? It’s a complete solution and works for everything, not just SSH
I like to install ConfigServer Security & Firewall (csf)
https://configserver.com/cp/csf.html
I use fail2ban – does the job well. Looks to me it is more easy and straight-forward than denyhosts.
Agree on fail2ban, and I am not keen on the denyhosts solution of dynamically changing contents under /etc.