This site is now 100% read-only, and retired.

XML logo

DenyHosts = My new friend
Posted by MrFusion on Tue 24 Oct 2006 at 08:29
Tags: none.
For those of you who run a Debian machine (or heck, any UNIX-based OS):

If you run SSHD (Secure Shell Daemon) on your machine (which might be there by default and never explicity denied all outside traffic other than select IP's from gaining access, and you leave port 22 open to the world wide web, then try this command:
sudo grep sshd /var/log/auth.log
(Or, if you're already root, don't bother with using sudo.)
You may be surprised to find hundreds of lines describing failed attempts from various IP's from all around the world trying to log into your machine via SSH. Some may even have tried hundreds of logins just by themselves, using a dictionary attack. Running a whois on these addresses will often trace back to China or Korea, and emailing their ISP's abuse dept. is generally useless.

Now, if you're savvy enough when setting up your system, then you will have not used obvious names (like 'Joe') unless you tied them to very long and complicated passwords. Even if your login names aren't obvious, you should still have used very long and complicated passwords. And you will have set an especially difficult and complicated password for root. So if this is the case, your system is already fairly safe from dictionary attackers. (They're generally script kiddies and will give up and move on after a while.)

So even if your system is fairly bullet-proof in the login department, it's still fairly unsettling to just let it take repeated abuse from dictionary attackers. If you don't even use SSH to sign into your computer, then kill and disable SSHD. If you only ever sign onto it from specific IP addresses, then block all SSHD traffic with the exception of those IP's in your /etc/hosts.deny file. But if you like to keep it open for friends or your own general use from a school campus (or whatever), then you want to make it available. That is where DenyHosts comes in.

DenyHosts is a highly configurable program written in Python which can either be executed manually or via Cron, or can be run 24/7 as a daemon. Basically, it checks up on your /var/log/auth.log file periodically. It recognizes fishy activity from the log, picks up on malicious IP's and then automatically adds them to the /etc/hosts.deny file. Any IP listed in there will be actively ignored by your computer from then and on.

You can download that script from the webpage (linked above) and simply run an included Python script to install it. Or, if you're cool and you use Debian (or a derivative thereof), you can simply say:
sudo apt-get install denyhosts
(Drop the sudo if you're root.)
If you use the apt-get way, then it will automatically create a useful man page and will set itself up in /etc/inet.d so that you can easily start and stop the DenyHosts daemon. It also creates the config file (/etc/denyhosts.conf). In the config, you can specify all kinds of options (especially if you choose to run it in daemon mode, which I prefer). You can adjust tolerence levels (how many times someone fails to log in before it gives them the boot) and how often it checks the logfile (default 30 seconds). It can be set up to synchronize itself with the designer's central server so that you can also block out IP's that other people's computers have blocked. (I keep this disabled, which is default, since that would be a frighteningly huge hosts.deny file.)

Anyway, it works like a charm. As of writing this, my personal server has blocked 46 separate IP's in the past two weeks... very impressive. It's a bullet-proof machine as it is, but I like the satisfaction of watching it weed out all the losers who try to break in. You can check out a list of all the IP's my system has blocked using DenyHosts through the following link: http://www.tarlus.net



There are tons more features that go with DenyHosts, but I'd end up with an all-out HowTo if I type anything more about it. Heck, this is more of a HowTo than it is a blog. Oh well, I wanted to write it; I hope people will find this to be useful! At the very least, I hope more people will become aware of all the unsetting things that show up in their auth.log files!

 

Comments on this Entry

Re: DenyHosts = My new friend
Posted by ajt (204.193.xx.xx) on Tue 24 Oct 2006 at 08:53
[ View Weblogs ]
There is also fail2ban which does a similar job.

--
"It's Not Magic, It's Work"
Adam

[ Parent ]

Re: DenyHosts = My new friend
Posted by Anonymous (212.131.xx.xx) on Mon 30 Oct 2006 at 16:44
Yes, but fail2ban need a kernel with netfilter support enabled.
Debian's kernel are distribuited with this one enabled, but many Sysadmin rebuild it's own kernel and not all wan't netfilter support on a system that'snt a firewall.

bye,

--
Marco Bertorello

[ Parent ]

Re: DenyHosts = My new friend
Posted by Steve (62.30.xx.xx) on Tue 24 Oct 2006 at 09:23
[ View Weblogs ]

I've been using this for a while now on my hosts, and find it very good. The only downside is that I run Sarge so I have to install from source.

Nice tool. Though the documentation was a bit hard to read - it took me far too long to work out how to add an IP address as whitelisted!

Steve

[ Parent ]

Re: DenyHosts = My new friend
Posted by MrFusion (68.0.xx.xx) on Tue 24 Oct 2006 at 16:11
[ View Weblogs ]
Yeah, same here, it was tricky to figure out certain things at first... But the manpage written for Debian is useful. I forgot that the stable branches don't have all the same stuff available in apt that Etch (testing) has. Sorry 'bout that. :)

You can whitelist IP's by creating a file called 'allowed-hosts' in your WORK_DIR (/var/lib/denyhosts is default the apt installation). Just add one IP per line. Took me a while to find out how that was done. :)

If you think it would be worthwhile for the site, I'd be glad to write a more cleary-written HowTo for installing via source and how to do more tricky things like whitelisting.

-MrFusion

[ Parent ]

Re: DenyHosts = My new friend
Posted by Steve (62.30.xx.xx) on Tue 24 Oct 2006 at 16:14
[ View Weblogs ]

I definitely think it is useful, especially if you could make it Debian-specific.

I did have a quick look for a guide and found this one earlier.

(On my source-install I use - via cfengine.)

Steve

[ Parent ]

Re: DenyHosts = My new friend
Posted by marki (15.195.xx.xx) on Fri 27 Oct 2006 at 04:50
So you did plain install from .tgz file? Because I was trying it from apt-get.org for more than hour now without success. It depends on python-central, which I make from source package (just changed dependency from debhelper 5 to 4). But it also depends on lsb-base 3.1 and there is only 2.0 in stable. From what I see, this is used in the init.d scripts. Does denyhosts require some functions from the new version? Or will it run also with 2.0? If not, is 3.1 backwards compatible?

Thanks

[ Parent ]

Re: DenyHosts = My new friend
Posted by Steve (80.68.xx.xx) on Fri 27 Oct 2006 at 09:17
[ View Weblogs ]

Yes via the howto I linked to above from the original .tgz file.

Steve

[ Parent ]

Re: DenyHosts = My new friend
Posted by eric (194.2.xx.xx) on Tue 24 Oct 2006 at 16:10
[ View Weblogs ]
Does Denyhosts release the captured IPs after some time ? In case these are dynamic ones and so you may be blocked yourself...

:eric:
http://blog.sietch-tabr.com

[ Parent ]

Re: DenyHosts = My new friend
Posted by Steve (62.30.xx.xx) on Tue 24 Oct 2006 at 16:16
[ View Weblogs ]

Yes you can configure it to:

  • Reset a count after a period of hours/days.
  • Also reset the count after a successful login.
  • Or just white-list particular IPs.

The second means you can fail a login, login and then repeat that process lots of times and not get banned. Handy if you always mistype your password first thing in the morning like me!

Steve

[ Parent ]

Re: DenyHosts = My new friend
Posted by MrFusion (68.0.xx.xx) on Tue 24 Oct 2006 at 16:20
[ View Weblogs ]
You can either permanently ban IP's, or you can configure it to purge them from the blacklist after a set period of time. As long as you don't mistype your password dozens of times in a row, then you should be okay from banning. And, you can whitelist your own IP if it's consistent.

I recommend that the malicious IP's be permanently banned, because I've watched a few of them attempt to log back again many days later to see if their ban was lifted. Unfortunately for them, it wasn't. :)

-MrFusion

[ Parent ]

Re: DenyHosts = My new friend
Posted by dominic (142.58.xx.xx) on Tue 24 Oct 2006 at 21:12
DenyHosts just adds offenders to /etc/hosts.deny so to whitelist yourself (or subnet), add yourself to /etc/hosts.allow. See the man page for either.

In addition, DenyHosts has a centralized blacklist that you can submit offending IPs to and download malicious IPs from.

I've been very happy with DenyHosts for a while now.

[ Parent ]

Re: DenyHosts = My new friend
Posted by miguel (201.82.xx.xx) on Thu 26 Oct 2006 at 17:36
[ View Weblogs ]
I really think that this is usefull if for some reason you can't change the default port from 22 to another and can't limit on firewall level to allow connections on port 22 only from a fixed list of hosts . I set my sshd always to 60000, 65000 or other very high port that no one will waste time trying to figure out.

This machines never had ANY connection on sshd using very high ports.

DenyHosts can't save you from a remote exploit, but change to a very high port, or setting your firewall to allow connections on port 22 only from a fixed list of hosts can save your day.

[ Parent ]

Re: DenyHosts = My new friend
Posted by Anonymous (62.56.xx.xx) on Thu 26 Oct 2006 at 21:37
I have been running this script for a couple of years, and currently have 524 hosts blacklisted in /etc/hosts.deny. Quite impressive. Would it be appropriate to post my blacklist here for others to copy?

[ Parent ]

Re: DenyHosts = My new friend
Posted by Steve (80.68.xx.xx) on Fri 27 Oct 2006 at 16:03
[ View Weblogs ]

I'd suggest not, if only because paranoid people wouldn't trust it anyway!

I do notice that the most recent version of DenyHosts have the option of uploading and downloading blacklists centrally already - so it people wish to get a blacklist they can do it just by using the configuration file ..

Steve

[ Parent ]