DenyHosts
References
- See Documentation: http://denyhosts.sourceforge.net/
FAQ and Issues
What is DenyHosts? DenyHosts is a script intended to be run by Linux system administrators to help thwart SSH server attacks (also known as dictionary based attacks and brute force attacks).
Config File and Script Notes
Note: Please upload any changes to the config files you wish to share to this TWIKI!
- /var/lib/denyhosts/allowed-hosts is a network White-list
- Note: You cannot specify CLASS C network - so 129.97.* does not work but 129.97.7.* does
- Networks: run the command ifconfig | grep "inet addr" to list your networks
- There are some common private networks already defined in allowed-hosts
- /etc/denyhosts.conf is the master denyhosts config file
- SMTP_FROM - specifies the from address when sending reports
- SMPT_SUBJECT - is the subject header of a report - please add the host name
- ADMIN_EMAIL - admin address to sean email to
- * send_denyhosts is a script on cscf that will update a number of hosts - see usage example below
Install
ASSUMES Ubuntu/Debian
- apt-get install denyhosts
- Customize Configuration
- replace /etc/denyhosts.conf with denyhosts.conf
- change email address in SMTP_FROM =
- Optionally add UW address white lists
- /var/lib/denyhosts/allowed-hosts using file allowed-hosts
- replace /etc/denyhosts.conf with denyhosts.conf
- service denyhosts restart
Script install
ASSUMES Ubuntu/Debian
Note: Change the email address to suite your system
#/bin/bash # # Install and configure denyhosts # EMAIL is Point of contact From address # - it only helps to "encode" who is responsible for the machine in any reports to root # denyhosts reports still goes to root # Unless either of # 1 - /etc/aliases forwards root # - or - # 2 /etc/denyhosts.conf "ADMIN_EMAIL =" is changed # Otherwise EMAIL=cs-rsg@cs.uwaterloo.ca #install denyhosts apt-get install denyhosts ALLOWED=/var/lib/denyhosts/allowed-hosts DENYCONF=/etc/denyhosts.conf DENYTMP=/tmp/$$.denyhosts.conf HOST=`hostname` # Clean up old files rm -f $DENYTMP $ALLOWED wget -nH -nd https://www.cs.uwaterloo.ca/twiki/pub/CF/DenyHosts/allowed-hosts -O $ALLOWED wget -nH -nd https://www.cs.uwaterloo.ca/twiki/pub/CF/DenyHosts/denyhosts.conf -O $DENYTMP # Edit denyhosts.conf file to customize report to include the hostname in the report cat $DENYTMP | \ sed -e "s/^SMTP_FROM.*$/SMTP_FROM = DenyHosts <$EMAIL>/" | sed -e "s/^SMTP_SUBJECT.*$/SMTP_SUBJECT = $HOST DenyHosts Report/" >$DENYCONF #Debug: list the changes echo =============================================== echo DenyHosts Changes to $HOST egrep '^SMTP_[FS]|^ADMIN_EMAIL' $DENYCONF echo /etc/aliases root entry grep "^root" /etc/aliases echo =============================================== rm -f $DENYTMP #restart the service service denyhosts restart
Administrative Batch install of Denyhosts from cscf.cs
ASSUMES Ubuntu/Debian TARGETS!!!
- ssh cscf.cs
- suw
- cd /u1/magore/denyhosts
- vi send_denyhosts - updating the LIST= line with your hosts and email contacts
- ./send_denyhosts
Manual DenyHosts Redhat Install
- yum install denyhosts
- cd /etc
- mv denyhosts.conf denyhosts.conf.orig
- wget -nH -nd --no-check-certificate https://www.cs.uwaterloo.ca/twiki/pub/CF/DenyHosts/denyhosts.conf
- vi /etc/denyhosts.conf - make these changes
SECURE_LOG = /var/log/secure SMTP_FROM = DenyHosts <cs-rsg@cs.uwaterloo.ca> SMTP_SUBJECT = gamay-admin.cs DenyHosts Report
- cd /var/lib/denyhosts
- mv allowed-hosts allowed-hosts.orig
- wget -nH -nd --no-check-certificate https://www.cs.uwaterloo.ca/twiki/pub/CF/DenyHosts/allowed-hosts
- /etc/init.d/denyhosts start
Removing IP addresses that DenyHosts blocked
If DenyHosts has added an IP to /etc/hosts.deny removing it from /etc/hosts.deny does not in itself correct the issue since DenyHosts keeps track of the attempts in the WORK_DIR files (/var/lib/denyhosts in Ubuntu) . In order to cleanse the address you will need to do the following:
- Stop DenyHosts
- Remove the IP address from /etc/hosts.deny
- Edit WORK_DIR/hosts and remove the lines containing the IP address. Save the file.
- Edit WORK_DIR/hosts-restricted and remove the lines containing the IP address. Save the file.
- Edit WORK_DIR/hosts-root and remove the lines containing the IP address. Save the file.
- Edit WORK_DIR/hosts-valid and remove the lines containing the IP address. Save the file.
- Edit WORK_DIR/user-hosts and remove the lines containing the IP address. Save the file.
- (optional) Consider adding the IP address to WORK_DIR/allowed-hosts
- Start DenyHosts
| I | Attachment | History | Action | Size | Date | Who | Comment |
|---|---|---|---|---|---|---|---|
 ext |
allowed-hosts | r2 r1 | manage | 0.6 K | 2011-12-15 - 10:23 | MikeGore | |
| conf |
denyhosts.conf | r1 | manage | 20.4 K | 2011-12-12 - 16:52 | MikeGore | |
| ext |
send_denyhosts | r1 | manage | 2.7 K | 2011-12-15 - 10:48 | MikeGore |
Topic revision: r7 - 2013-09-05 - RonaldoGarcia
Information in this area is meant for use by CSCF staff and is not official documentation, but anybody who is interested is welcome to use it if they find it useful.
- CF Web
- CF Web Home
- Changes
- Index
- Search
- Administration
- Communication
- Hardware
- HelpDeskGuide
- Infrastructure
- InternalProjects
- Linux
- MachineNotes
- Macintosh
- Management
- Networking
- Printing
- Research
- Security
- Software
- Solaris
- StaffStuff
- TaskGroups
- TermGoals
- Teaching
- UserSupport
- Vendors
- Windows
- XHier
- Other Webs
- My links
 |
|
Copyright © 2008-2025 by the contributing authors. All material on this collaboration platform is the property of the contributing authors. Ideas, requests, problems regarding TWiki? Send feedback