Prevent SSH Attacks Using DenyHosts

Introduction

If you have any servers that are running SSH and listening on a public net connection, its a good idea to prevent against dictionary attacks, since they are the simplest way to gain entry. You can get an idea of who is connecting or attempting to connect by viewing your ssh log which is located at /var/log/secure on Redhat or /var/log/auth.log on Debian.

There is an easy tool that you can install to deal with this attack called DenyHosts. It basically monitors these log files and then if it finds a potential attacker based on your threshold it will add them to the /etc/hosts.deny file to prevent them from brute forcing your system.

Getting DenyHosts

DenyHosts can be found here on Sourceforge

We’ll grab the tarball

$ wget \

http://internap.dl.sourceforge.net/sourceforge/denyhosts/DenyHosts-2.6.tar.gz

Extract and install

$  tar xzvf DenyHosts-2.6.tar.gz
$  cd DenyHosts-2.6
$  sudo python setup.py install

This installs it into /usr/share/denyhosts so we’ll change directory

$ cd /usr/share/denyhosts

Copy the default config

$  sudo cp denyhosts.cfg-dist denyhosts.cfg

We need to set a few values in this file. The default values are for RedHat and this is how it looks on Debian

SECURE_LOG = /var/log/auth.log
LOCK_FILE = /var/run/denyhosts.pid

You may also want to set the DENY_THRESHOLD_INVALID and DENY_THRESHOLD_VALID values, which controls the threshold of failed login attempts for fake and real users respectively.

Now we need to setup the script that controls the deamon that does the work. There is a default one available so we can copy that

$ sudo cp daemon-control-dist daemon-control

There is only one value to change here on Debian

DENYHOSTS_LOCK = "/var/run/denyhosts.pid"

Now symlink the control script into our bootup scripts folder and add it to start on boot

$  sudo ln -s /usr/share/denyhosts/daemon-control /etc/init.d/denyhosts
$  sudo update-rc.d denyhosts defaults

Finally start it up for the first time

$  sudo /etc/init.d/denyhosts start

If you haven’t changed the default you can find the logs in /var/log/denyhosts if you want to see what its doing.

Conclusion

We’ve pretty quickly setup a tool to defend against brute force attacks. Its easy to configure and also supports email, smtp, and syslog notifications. This is a tool everyone should install for any servers that have SSH listening on the Internet.