Restricting SSH Access Attempts Using DenyHosts

Published November 25th, 2008

Problem Statement

The real problem in the world is that there are too many people with too much free time. These wanna-be hackers often download scripts and ready-made-software to scan servers all around the globe and see if there is one that is poorly maintained to get in and deface Web pages or steal information. SSH is a great improvement over telnet based remote access but it is also setup typically using username/password based authentication. So if your password is weak, SSH has no benefit. Having weak password in combination with a default SSH server is like inviting trouble by going out of your way. Here in this article we will show you how you can secure SSH and automatically ban access attempts from people who have either forgotten their password or those who should have never connected to your SSH server.

Time Estimate (30 ~ 60 min)

We estimate that the entire process to get DenyHosts installed, and tested might take half an hour to an hour.

Securing SSH by Running on a Non-Standard Port

We covered this topic in another article called <a href=”http://centoshacker.com/admin/ssh/running-ssh-on-a-non-standard-port.html”>Running SSH on a Non-standard Port</a>. Read and implement as recommended so that your SSH server is not on the default 22.

Deny the Idiot Users and/or Wanna-be Hackers and Script Kiddies

DenyHosts is a Python script that runs as a daemon and monitors SSH attempts (by watching /var/log/secure) on your server. After n number of invalid attempts using non-existent user accounts are made by a potential intruder, it locks up the IP address by placing it in /etc/hosts.deny which the SSH server checks every time a connection attempt is made. This means that after n number of invalid attempts to access non-existent user accounts, the intruder has to change the IP address to resume attack your server, this is a bit of annoyance at the least and most likely a good enough deterrent that the idiot moves on and looks for another potential victim server.

Download the source distribution from:
http://www.denyhosts.net/

Step 1: Installing DenyHosts

Once you have downloaded the source and extracted the  source in /usr/local/src, do the following from the newly created DenyHosts-<version> directory:

• Run: python setup.py install

to install the package

• Change directory to /usr/share/denyhosts
• Run: cp denyhosts.cfg-dist denyhosts.cfg to copy the sample configuration into a new configuration file that you can edit

The sample configuration has comments that you can follow to make any applicable changes if needed. Here is the list of options (shown without the comments) that you can configure:

SECURE_LOG = /var/log/secure
HOSTS_DENY = /etc/hosts.deny
PURGE_DENY =
BLOCK_SERVICE  = sshd
DENY_THRESHOLD_INVALID = 5
DENY_THRESHOLD_VALID = 10
DENY_THRESHOLD_ROOT = 1
DENY_THRESHOLD_RESTRICTED = 1
WORK_DIR = /usr/share/denyhosts/data
SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES
HOSTNAME_LOOKUP=YES
LOCK_FILE = /var/lock/subsys/denyhosts
ADMIN_EMAIL =
SMTP_HOST = localhost
SMTP_PORT = 25
SMTP_FROM = DenyHosts
SMTP_SUBJECT = DenyHosts Report
AGE_RESET_VALID=5d
AGE_RESET_ROOT=25d
AGE_RESET_RESTRICTED=25d
AGE_RESET_INVALID=10d
DAEMON_LOG = /var/log/denyhosts
DAEMON_SLEEP = 30s
DAEMON_PURGE = 1h

• By default,  DenyHosts will block access to ssh service by placing an entry sshd: <bad ip address> in the /etc/hosts.deny file. However, if you like to block all the xinetd services that check /etc/hosts.deny than set BLOCK_SERVICE = ALL
• By default, DENY_THRESHOLD_INVALID is set to 5, which means that after five invalid attempts using wrong password, the intruder will be locked by because DenyHosts will add the intruder’s IP address in the /etc/hosts.deny file
• By default, DENY_THRESHOLD_ROOT is set to 1, which means, that after one invalid attempt to login as root user, DenyHosts will disable the IP address. However, we highly recommend that you completely disable root login via SSH. See Stop root Login via SSH Immediately!
• To receive email from DenyHosts, set the ADMIN_EMAIL field to your email address. You will also have to set SMTP_HOST and SMTP_PORT to approrpiate values unless the defaults — assumes that you are running a SMTP mail server on local host — works for you. If your SMTP server requires username and password, you will also have to uncomment and set SMTP_USERNAME and SMTP_PASSWORD to appropriate values. You should also review SMTP_FROM to make sure that the email address used as the From header in the email sent by DenyHost is OK. You might have to white list this email address in your anti-spam program/appliance, etc.  Similarly, review the SMTP_SUBJECT field’s default value to meet your needs
• Now copy the sample daemon control file in /usr/share/denyhosts using cp daemon-control-dist daemon-control. You can review the daemon-control file but most likely it will work as-is
• To start DenyHosts automatically at server startup/reboot, create a symbolic link as follows:

  ln -s /usr/share/denyhosts/daemon-control /etc/init.d/denyhosts

• Now add the denyhosts service to your current runlevel using chkconfig --add denyhosts

Step 2: Starting DenyHosts for the First Time

To start DenyHosts, run service denyhosts start and you should see something similar to the following:

starting DenyHosts:
/usr/bin/env python /usr/bin/denyhosts.py --daemon \
                                          --config=/usr/share/denyhosts/denyhosts.cfg

To ensure that it is running, run ps x | grep denyhosts and you should see something similar to the following:

28788 ? S 0:00 python /usr/bin/denyhosts.py --daemon --config=/usr/share/denyhosts/denyhosts.cfg

If you see a running denyhosts script that has been started using python you are all set!

Step 3: Excluding Known IP Addresses from Getting Denied

If you have users who forget their SSH username a lot and they access your SSH server from known static IP addresses, you can exclude these IP addresses from DenyHost’s radar. Here is how:

• Create a text file called /usr/share/denyhosts/data/allowed-hosts where each line represents a full IP address or a network address or a range of IP addresses. For example:

  # Your static IP
  130.86.1.1
  
  # Your other servers on the LAN that connects to your SSH server
  192.168.1.[1-254]

• Once you have created this file, restart DenyHosts using service denyhosts restart

Now if any of the users using the IP addresses listed in the allowed-hosts files ever misspell their username multiple times, they won’t call you. Because, denyhosts will forgive them for good. This might not be a good practice since you want your users to really know what they are doing and perhaps you DO want them to get locked out when they forget their username. How much can you take? Never mind.

Step 4: Testing Your DenyHosts Setup

To test your denyhosts setup, do the following:

• From a host that is NOT included in your /usr/share/denyhosts/data/allowed-hosts file, attempt to make a SSH connection to your SSH server using an invalid username
• You should be able to retry DENY_THRESHOLD_INVALID (5) times by default
• Simultaneously, you want to setup a tail -f /var/log/denyhosts session to observe how denyhosts is behaving after the maximum threshold has been reached. You will see that denyhosts has created a log entry such as:

  2008-11-25 14:56:08,705 - denyhosts   : INFO     new denied hosts: ['100.200.1.2']

• This shows that denyhosts has blocked this IP from accessing the server via SSH. You can also verify that this IP is now listed in /etc/hosts.deny file

To test if an allowed IP address can make username mistakes, just add the IP address in the /usr/share/denyhosts/data/allowed-hosts file and try to access the SSH server using invalid username and/or password. You will be allowed to try as much as you like.

Step 5: Using Centralized DenyHosts Knowledge base

The denyhosts.net provides a free global synchronization of attack data. The benefits are:

• You receive IP addresses that have been already considered bad by other hosts elsewhere in the world. This way, you get to ban the bad IP addresses before they attack your server
• Your bad IP addresses are contributed to the global pool of bad IP addresses so that someone else’s server can ban the IP before any attempt is made to access such a server

To enable this service, edit the /usr/share/denyhosts/denyhosts.cfg file as follows:

• Uncomment SYNC_SERVER = http://xmlrpc.denyhosts.net:9911 to allow DenyHosts to send and receive synchronization data from the denyhosts.net service
• Uncomment SYNC_INTERVAL = 1h so that your DenyHosts deamon can contact the denyhosts.net every hour
• If you wish to upload your bad IP list, uncomment and set SYNC_UPLOAD = yes
• If you wish to download bad IP list from denyhosts.net, uncomment and set SYNC_DOWNLOAD = yes

Category: Security | Tags: