DenyHosts

References

Excerpt:
What is DenyHosts?
DenyHosts is a script intended to be run by Linux system administrators to help thwart SSH server 
attacks (also known as dictionary based attacks and brute force attacks). 

Config File and Script Notes

Note: Please upload any changes to the config files you wish to share to this TWIKI!

  • /var/lib/denyhosts/allowed-hosts is a network White-list
    • Note: You cannot specify CLASS C network - so 129.97.* does not work but 129.97.7.* does
    • Networks: run the command ifconfig | grep "inet addr" to list your networks
      • There are some common private networks already defined in allowed-hosts
  • /etc/denyhosts.conf is the master denyhosts config file
    • SMTP_FROM - specifies the from address when sending reports
    • SMPT_SUBJECT - is the subject header of a report - please add the host name
    • ADMIN_EMAIL - admin address to sean email to
  • * send_denyhosts is a script on cscf that will update a number of hosts - see usage example below

Install

ASSUMES Ubuntu/Debian

  • apt-get install denyhosts
  • Customize Configuration
    • replace /etc/denyhosts.conf with denyhosts.conf
      • change email address in SMTP_FROM =
    • Optionally add UW address white lists
  • service denyhosts restart

Script install

ASSUMES Ubuntu/Debian
Note: Change the email address to suite your system

#/bin/bash
#
# Install and configure denyhosts

# EMAIL is Point of contact From address
#    - it only helps to "encode" who is responsible for the machine in any reports to root
# denyhosts reports still goes to root
# Unless either of
#   1 - /etc/aliases forwards root
# - or -
#   2  /etc/denyhosts.conf "ADMIN_EMAIL =" is changed

# Otherwise
EMAIL=cs-rsg@cs.uwaterloo.ca

#install denyhosts
apt-get install denyhosts

ALLOWED=/var/lib/denyhosts/allowed-hosts
DENYCONF=/etc/denyhosts.conf
DENYTMP=/tmp/$$.denyhosts.conf
HOST=`hostname`

# Clean up old files
rm -f $DENYTMP $ALLOWED
wget -nH -nd https://www.cs.uwaterloo.ca/twiki/pub/CF/DenyHosts/allowed-hosts -O $ALLOWED
wget -nH -nd https://www.cs.uwaterloo.ca/twiki/pub/CF/DenyHosts/denyhosts.conf -O $DENYTMP

# Edit denyhosts.conf file to customize report to include the hostname in the report
cat $DENYTMP | \
sed -e "s/^SMTP_FROM.*$/SMTP_FROM = DenyHosts <$EMAIL>/" |
sed -e "s/^SMTP_SUBJECT.*$/SMTP_SUBJECT = $HOST DenyHosts Report/" >$DENYCONF

#Debug: list the changes
echo ===============================================
echo DenyHosts Changes to $HOST
egrep  '^SMTP_[FS]|^ADMIN_EMAIL' $DENYCONF
echo /etc/aliases root entry
grep "^root" /etc/aliases
echo ===============================================

rm -f $DENYTMP

#restart the service
service denyhosts restart

Administrative Batch install of Denyhosts from cscf.cs

ASSUMES Ubuntu/Debian TARGETS!!!

  • ssh cscf.cs
  • suw
  • cd /u1/magore/denyhosts
  • vi send_denyhosts - updating the LIST= line with your hosts and email contacts
  • ./send_denyhosts

Manual DenyHosts Redhat Install

   SECURE_LOG = /var/log/secure
   SMTP_FROM = DenyHosts <cs-rsg@cs.uwaterloo.ca>
   SMTP_SUBJECT = gamay-admin.cs DenyHosts Report

Removing IP addresses that DenyHosts blocked


If DenyHosts has added an IP to /etc/hosts.deny removing it from /etc/hosts.deny does not in itself correct the issue since DenyHosts keeps track of the attempts in the WORK_DIR files (/var/lib/denyhosts in Ubuntu) . In order to cleanse the address you will need to do the following:

  • Stop DenyHosts
  • Remove the IP address from /etc/hosts.deny
  • Edit WORK_DIR/hosts and remove the lines containing the IP address. Save the file.
  • Edit WORK_DIR/hosts-restricted and remove the lines containing the IP address. Save the file.
  • Edit WORK_DIR/hosts-root and remove the lines containing the IP address. Save the file.
  • Edit WORK_DIR/hosts-valid and remove the lines containing the IP address. Save the file.
  • Edit WORK_DIR/user-hosts and remove the lines containing the IP address. Save the file.
  • (optional) Consider adding the IP address to WORK_DIR/allowed-hosts
  • Start DenyHosts
Note: Not all of the WORK_DIR files will contain the IP address so you may want to use grep to determine which files contain the IP address
Topic attachments
I Attachment History Action Size Date Who Comment
Unknown file formatext allowed-hosts r2 r1 manage 0.6 K 2011-12-15 - 10:23 MikeGore  
Unknown file formatconf denyhosts.conf r1 manage 20.4 K 2011-12-12 - 16:52 MikeGore  
Unknown file formatext send_denyhosts r1 manage 2.7 K 2011-12-15 - 10:48 MikeGore  
Edit | Attach | Watch | Print version | History: r7 < r6 < r5 < r4 < r3 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r7 - 2013-09-05 - RonaldoGarcia
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback