Block SSH Server Attacks Using DenyHosts in CentOS/RHEL 5/6/7

Share It!

DenyHosts is an open source and free log-based intrusion prevention security program for SSH servers. DenyHosts is much needed tool for all Linux based systems, specially when we are allowing password based ssh logins. DenyHosts is a security tool written in python that screens and analyzes down server access logs for invalid login attempts on a virtual private server.

bruteforce

Install Epel Repository:

We need to install it using third party repository, use Followning command to installl it.

CentOS/RHEL 7 64bit:
# rpm -Uvh http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-5.noarch.rpm
CentOS/RHEL 6 64bit:
# rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
CentOS/RHEL 6, 32 Bit:
# rpm -Uvh http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm
CentOS/RHEL 5 64bit:
# rpm -Uvh http://dl.fedoraproject.org/pub/epel/5/x86_64/epel-release-5-4.noarch.rpm
CentOS/RHEL 5, 32 Bit:
# rpm -Uvh http://dl.fedoraproject.org/pub/epel/5/i386/epel-release-5-4.noarch.rpm

Install DenyHosts:

Once Epel repository added, install the package using following YUM command:

# yum --enablerepo=epel install denyhosts
OR
# yum install denyhosts

Whitelist IP Addresses:

Once the Denyhosts installed, make sure that your own IP address is whitelist, so you will never get locked out.

# vim /etc/hosts.allow
Below the description, add the each IP address one-by-one on a separate line, that you never want to block. The format should be as follows.

#
# hosts.allow   This file contains access rules which are used to
#               allow or deny connections to network services that
#               either use the tcp_wrappers library or that have been
#               started through a tcp_wrappers-enabled xinetd.
#
#               See 'man 5 hosts_options' and 'man 5 hosts_access'
#               for information on rule syntax.
#               See 'man tcpd' for information on tcp_wrappers
#
sshd: 28.119.25.113
sshd: 28.119.25.114
sshd: 28.119.25.115
sshd: 28.119.25.116

Blacklist IP Addresses:

Add the IP address which you want to block. Make sure that IP address is in the blacklist is not your IP address.

# vim /etc/hosts.deny
#
# hosts.deny    This file contains access rules which are used to
#               deny connections to network services that either use
#               the tcp_wrappers library or that have been
#               started through a tcp_wrappers-enabled xinetd.
#
#               The rules in this file can also be set up in
#               /etc/hosts.allow with a 'deny' option instead.
#
#               See 'man 5 hosts_options' and 'man 5 hosts_access'
#               for information on rule syntax.
#               See 'man tcpd' for information on tcp_wrappers
#
sshd: 28.119.25.117
sshd: 28.119.25.118

Configuring DenyHosts for Email Alerts:

We can send email alerts about suspicious logins and restricted hosts by making changes in a DenyHosts configuration file. Find ADMIN_EMAIL and add your email address here to receive email alerts about suspicious logins (for multiple email alerts use comma separated).

# vim /etc/denyhosts.conf
############ DENYHOSTS REQUIRED SETTINGS ############
SECURE_LOG = /var/log/secure
HOSTS_DENY = /etc/hosts.deny
BLOCK_SERVICE  = sshd
DENY_THRESHOLD_INVALID = 5
DENY_THRESHOLD_VALID = 10
DENY_THRESHOLD_ROOT = 1
DENY_THRESHOLD_RESTRICTED = 1
WORK_DIR = /var/lib/denyhosts
SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES
HOSTNAME_LOOKUP=YES
LOCK_FILE = /var/lock/subsys/denyhosts

############ DENYHOSTS OPTIONAL SETTINGS ############
ADMIN_EMAIL = support@techoism.com
SMTP_HOST = localhost
SMTP_PORT = 25
SMTP_FROM = DenyHosts 
SMTP_SUBJECT = DenyHosts Daily Report

############ DENYHOSTS OPTIONAL SETTINGS ############
DAEMON_LOG = /var/log/denyhosts
DAEMON_SLEEP = 30s
DAEMON_PURGE = 1h

Start DenyHosts Service:

Once you’ve finished with your configuration, restart the denyhosts service for new changes. We additionally add the denyhosts service to system start-up.

For CentOS/RHEL 5/6
# chkconfig denyhosts on
# service denyhosts start
For CentOS/RHEL 7
# systemctl enable denyhosts
# systemctl start denyhosts

DenyHosts Logs file:

To watch denyhosts ssh logs for how many attackers and hackers are attempted to gain access to your server. Use the following command to view the real-time logs.

# tail -f /var/log/secure

Output:

Oct  1 03:26:38 srv sshd[2637]: refused connect from 28.119.25.117 (28.119.25.117)
Oct  1 03:27:15 srv sshd[2674]: refused connect from 28.119.25.117 (28.119.25.117)
Oct  1 03:28:07 srv sshd[2695]: Connection closed by 127.0.0.1
Oct  1 03:36:00 srv sshd[2637]: refused connect from 28.119.25.118 (28.119.25.117)
Oct  1 03:36:10 srv sshd[2674]: refused connect from 28.119.25.118 (28.119.25.118)
Oct  1 03:36:15 srv sshd[2695]: Connection closed by 127.0.0.1
Oct  1 03:37:39 srv sshd[2967]: Accepted password for root from 28.119.25.113 port 9271 ssh2
Oct  1 03:37:40 srv sshd[2967]: pam_unix(sshd:session): session opened for user root by (uid=0)
Oct  1 03:38:10 srv sshd[2967]: Accepted password for root from 28.119.25.114 port 9272 ssh2
Oct  1 03:38:12 srv sshd[2967]: pam_unix(sshd:session): session opened for user root by (uid=0)

Remove Banned IP Address:

If you’ve ever blocked accidentally and want to remove that banned IP address. So first you need to stop the service.

For CentOS/RHEL 5/6
# service denyhosts stop
For CentOS/RHEL 7
# systemctl stop denyhosts

To remove or delete banned IP address completely. You need to remove the IP address from the following files.

# vim /etc/hosts.deny
# vim /var/lib/denyhosts/hosts
# vim /var/lib/denyhosts/hosts-restricted
# vim /var/lib/denyhosts/hosts-root
# vim /var/lib/denyhosts/hosts-valid
# vim /var/lib/denyhosts/users-hosts

After removing the banned IP Address, start the service again.

For CentOS/RHEL 5/6
# service denyhosts start
For CentOS/RHEL 7
# systemctl start denyhosts

Enjoy it!

Leave a Reply

Your email address will not be published.