5

Prevent brute force attacks on SSH servers with DenyHosts

view full story
linux-howto

http://www.unixmen.com – DenyHosts is a Python script that analyzes the sshd server log messages to determine what hosts are attempting to hack into your system. It also determines what user accounts are being targeted. It keeps track of the frequency of attempts from each host.DenyHosts is designed for the use by Linux system administrators, the script can be useful to anybody running an sshd server. Now how does Denyhosts work? and how to install it? (HowTos)

salamon's picture
Submitted by salamon on 07/10/2009 – Made popular on 07/10/2009

Stories similar to Prevent brute force attacks on SSH servers with DenyHosts

Hi all,

I have recently installed denyhosts to help guard against bruteforce ssh attacks on my Fedora 12 server from the Fedora repositories. If I manually start denyhosts (as root) using:

/usr/sbin/denyhosts.py --daemon

How to configure sudoers to prevent having the Sorry, user ****** is not allowed to execute error message.

Background

For the purpose of testing how a python script under a less privileged user and group daemon account, there is a need to run:

$ sudo -u _denyhosts -g _denyhosts python /usr/local/bin/denyhosts.py -c /usr/share/denyhosts/denyhosts.cfg -n --purge --sync --verbose

The result is:

I have been trying to set up my MacOS X Server, which I recently upgraded to Mountain Lion, to use denyhosts as I need to open port 22 to it. denyhosts is set up and adds entries to /etc/hosts.deny so I decided to add my laptops IP to it in order to verify that it actually works but I can still log in and my IP shows up in /private/var/log/system.log.

My ip is blocked by DenyHosts but I followed the tutorial at http://denyhosts.sourceforge.net/faq.html#3_7 and in my allowed-hosts file I've the ip block XX.XX... How can I avoid my ip is blocked by DenyHosts again? Why doesn't the allowed-hosts rule didn't work?

I am using denyhosts on a server so in a config file /etc/denyhosts.conf the following value is set

Quote:

DENY_THRESHOLD_INVALID = 3

which as per their configuration file says

Quote:

DENY_THRESHOLD_INVALID: block each host after the number of failed login # attempts has exceeded this value.

I would like to block some hosts that are brute forcing my SMTP server.

I'm currently using DenyHosts for SSHD and was wondering if I can add the SMTP service too.

It could be possible based on this http://www.mail-archive.com/denyhosts-user@lists.sourceforge.net/msg0083...

Currently in my auth.log I get:

Jan 3 17:58:40 servername saslauthd[10729]: pam_unix(smtp:auth): check pass; user unk

Issues running denyhosts 34 weeks 3 days ago

I don't think I've posted this question before. A search of the forum comes up with similar posts but not this specific question, so here goes.

My server is/was running denyhosts. There were no issues with it until yesterday.

DenyHosts and no-ip.com 6 weeks 2 days ago

I recently installed DenyHosts and after a few remote logins I noticed that sshd: 8.23.224.110 had been added to the host.deny file after /var/log/auth.log showed a few sshd: Did not receive identification string from 8.23.224.110. This appears to be no-ip.com.

I've been using denyhosts for a while and I noticed my /etc/hosts.deny is getting rather large. Denyhosts adds IPs to /etc/hosts.deny, and my denyhosts is configured to never purge IPs.

$ wc -l /etc/hosts.deny 22149 /etc/hosts.deny

Might this become a problem? I don't really understand how libwrap works.