7.15. Using DenyHosts to Foil SSH Attacks

Problem

The Internet is full of twits who have nothing better to do than to release automated SSH attacks on the world. You have taken all the sensible security precautions, and feel like your security measures are adequate, but your logfiles are overflowing with this junk. Isn't there some way to head these morons off at the pass?

Solution

Indeed, yes. The excellent DenyHosts utility will take care of you. DenyHosts parses your auth log, and writes entries to /etc/hosts.deny to block future intrusion attempts.

DenyHosts is a Python script, so you need Python 2.3 or newer. Find your Python version this way:

	$ python -V
	Python 2.4.2

DenyHosts can be installed with Aptitude or Yum. To install from sources, simply unpack the tarball in the directory where you want to store DenyHosts. This comes with denyhosts.cfg.dist, which is a model configuration file. Edit it, then save it as /etc/denyhosts.conf. (See Recipe 7.16 to learn how to configure a startup script.)

Next, create a whitelist in /etc/hosts.allow; in other words, add all the important hosts that you never want blocked.

This sample configuration is moderately stern. Make sure the filepaths are correct for your system:

	WORK_DIR = /var/denyhosts/data
	SECURE_LOG = /var/log/auth.log
	HOSTS_DENY = /etc/hosts.deny
	BLOCK_SERVICE = sshd
	DENY_THRESHOLD_INVALID = 3
	DENY_THRESHOLD_VALID = 5
	DENY_THRESHOLD_ROOT = 1
	LOCK_FILE = /tmp/denyhosts.lock
	HOSTNAME_LOOKUP=NO
	SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES
	AGE_RESET_VALID=1d
	AGE_RESET_ROOT=25d
	AGE_RESET_INVALID=
	DAEMON_PURGE = 1h
	DAEMON_SLEEP = 30s
	DAEMON_LOG_TIME_FORMAT = %b %d %H:%M:%S
	ADMIN_EMAIL = carla@kielbasa.net

The default configuration file tells you the required options, optional settings, and other useful information.

Discussion

DenyHosts can be run manually, as a cron job, or as a daemon. I prefer daemon mode—set it and forget it. To run it manually for testing, simply run the DenyHosts script:

	# python denyhosts.py

Read the denyhosts.py script to see the available command options.

This is what the options mean:

BLOCK_SERVICE=sshd

You may use DenyHosts to protect SSH, or all services with BLOCK_SERVICE = ALL.

DENY_THRESHOLD_INVALID=2

Login attempts on nonexistent accounts get two chances before they are blocked. Because the accounts do not exist, blocking them won't hurt anything.

DENY_THRESHOLD_VALID=5

Login attempts on legitimate accounts get five chances. Adjust as needed for fatfingered users.

DENY_THRESHOLD_ROOT=1

Root logins get one chance. You should log in as an unprivileged user anyway, then su or sudo if you need rootly powers.

HOSTNAME_LOOKUP=Yes

DenyHosts will look up hostnames of blocked IP addresses. This can be disabled if it slows things down too much with HOSTNAME_LOOKUP = NO.

SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS

Set this to YES, then monitor your DenyHosts reports to see if this is useful. It tattles about suspicious behavior perpetrated by hosts in /etc/hosts.allow, which may or may not be useful.

AGE_RESET_VALID=1d

Allowed users are unblocked after one day, if they went all fat-fingered and got locked out.

AGE_RESET_INVALID=

Invalid blocked users are never unblocked.

DAEMON_PURGE=3d

Delete all blocked addresses after three days. Your /etc/hosts.deny file can grow very large, so old entries should be purged periodically.

DAEMON_SLEEP=5m

How often should the DenyHosts daemon run? It's a low-stress script, so running it a lot shouldn't affect system performance. Adjust this to suit your situation—if you are getting hammered, you can step up the frequency.

Time values look like this:

s: seconds

m: minutes

h: hours

d: days

w: weeks

y: years

See Also

• The DenyHosts FAQ: http://denyhosts.sourceforge.net/faq.html