Skip to content

Fusion Network

DenyHosts for SSH (CentOS 4.5-5x)

Im going to go over some of the measures i use to secure SSH on my systems. One of my favorite tools is called Deny Hosts. Ill go over it first then talk about some of my other security measures.

What is it?
DenyHosts is a system for checking your server for brute force hacking attempts on the SSH Daemon. It looks threw your systems “Secure” log to check for hosts that have attempted a connection to your system and have failed to authenticate. You can also set different amounts of connections based on if they are trying to access the 'root' account or if its a user on your “Allowed users” list. You can also set the system to 'reset' the attempt counter on an account if there is a login success.

 


Why?

Even with the settings listed below i was still getting around 4k attempts on at least two of my servers... DAILY. This just had to stop, not only is it a lot to look threw in the logs but it also means that my boxes just have to big of a footprint on the net. You could do something more advanced like “Portknocking” which ill detail in a later post, however its requires your ssh users to run extra tools and to better understand how ssh works...rather than just having it 'work'.

Though, the best thing would be to have a VPN into an outside system that you can use to ssh into your boxes behind a firewall, this way you wouldn't be able to ssh into any remote system without a good VPN connection.

 

How?

You can get DenyHosts from http://denyhosts.sourceforge.net/ i would suggest making a small donation to the project if you can afford it. This really is a excellent system and its saved me some sleepless nights. Ill defentally be sending some extra $$ their way once ive got it ;)

 

Installation:

Installation is very simple. Download the current file using something like wget on your server.

Decompress the archive to where you want it installed. The default is /usr/share/denyhosts.

Make sure to copy the denyhosts.cfg-dist to denyhosts.cfg then make your changes.

mv denyhosts.cfg-dist denyhosts.cfg

Its also good practice to make a copy of the clean, default config.

cp denyhosts.cfg denyhosts.cfg.bk

These are some of my settings for you to check against.

SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES

HOSTNAME_LOOKUP=YES

ADMIN_EMAIL = (Set this to your email)

SMTP_FROM = DenyHosts (This and the above setting is for alerts)

RESET_ON_SUCCESS = yes (if login successful, forgot that there were unsuccessful attempts)

SYNC_SERVER = http://xmlrpc.denyhosts.net:9911

SYNC_INTERVAL = 4h

SYNC_DOWNLOAD = yes

 

These settings might not work for you so make sure to read the explanations and setup your system accordingly.

Start it up:

You can start up denyhosts with this command.

Python denyhosts.py start

You should be good to go! With this setup i have over 5K ips in my hosts.deny file. The good thing about it is that these addresses are only being denied sshd access, this way if the attacking system is some poor infected windows desktop out on the net they will still have access to any websites or other services that you offer on your servers (this may or may not be a good thing!).

Some of the other things i do with SSH to try to keep unauthorized users out.

Explicitly set ssh to only allow protocol 2.

Deny Root Login.

Setup MaxAuthTries (i set this to 4)

AllowUsers (users to allow, seperated by spaces)

This is an example of what the above options would be.

Protocol 2

PermitRootLogin no

MaxAuthTries 4

AllowUsers user1 user2 user3

Its also unnecessary but good measure to setup a banner.

Banner /location/to/banner/file.txt

 

My default “banner” is listed below.

 

* * * * * * * * * * * W A R N I N G * * * * * * * * * * * * *

 

THIS SYSTEM IS RESTRICTED TO AUTHORIZED USERS FOR AUTHORIZED USE

ONLY. UNAUTHORIZED ACCESS IS STRICTLY PROHIBITED AND MAY BE

PUNISHABLE UNDER THE COMPUTER FRAUD AND ABUSE ACT OF 1986 OR

OTHER APPLICABLE LAWS. IF NOT AUTHORIZED TO ACCESS THIS SYSTEM,

DISCONNECT NOW. BY CONTINUING, YOU CONSENT TO YOUR KEYSTROKES

AND DATA CONTENT BEING MONITORED. ALL PERSONS ARE HEREBY

NOTIFIED THAT THE USE OF THIS SYSTEM CONSTITUTES CONSENT TO

MONITORING AND AUDITING.

 

* * * * * * * * * * * W A R N I N G * * * * * * * * * * * * *

You could increase your security more by not allowing password based authentication and allowing access only by key. This is sadly not an option in my case but would be a good idea for the future.

Another great idea would be to disallow ssh access unless you are connecting from a specific ip address or subnet, this would be excellent if you can get all of your remote users to VPN into your company/home network before using ssh to any of your servers.