Linux service security - Deny Hosts

Linux service security - Deny Hosts

DenyHosts is a log-based intrusion prevention security tool for SSH servers written in Python. It is intended to prevent brute-force attacks on SSH servers by monitoring invalid login attempts in the authentication log and blocking the originating IP addresses.

DenyHosts checks the end of the authentication log for recent failed login attempts. It records information about their originating IP addresses and compares the number of invalid attempts to a user-specified threshold. If there have been too many invalid attempts it assumes a dictionary attack is occurring and prevents the IP address from making any further attempts by adding it to /etc/hosts.deny on the server.

To install and configure the DenyHosts we should use the EPEL repository. A simple BASH command:

yum --enablerepo=epel install denyhosts

After a successfull installation we should take a first look at the configuration file to allow certain secure IP addresses to log into the server console.

nano /etc/hosts.allow

I have added a Local Area Network IP address to have access to the SSH service. All other IP addresses are blocked by default to log into the ssh server.

Optionally and IT admin can use the /etc/denyhosts.conf file to create email alerts if a user tries to log on to the server from a different IP address.

To comply to the setting we should now restart the denyhosts service and add it as a startup script.

chkconfig denyhosts on

service denyhosts start

To see the logs on tried and failled logins , or a simulated attack we should tail a log file:

tail -f /var/log/secure

We see that we have an Accepted password from our IP address that we allowed.

If you’ve list of static IP address that you want to whitelist permanently. Open the file /var/lib/denyhosts/allowed-hosts file. Whatever IP address included in this file will not be banned by default.

Feel free to comment.