Block SSH Server Attacks Using DenyHosts in CentOS/RHEL 5/6/7
DenyHosts is an open source and free log-based intrusion prevention security program for SSH servers. DenyHosts is much needed tool for all Linux based systems, specially when we are allowing password based ssh logins. DenyHosts is a security tool written in python that screens and analyzes down server access logs for invalid login attempts on a virtual private server.
Install Epel Repository:
We need to install it using third party repository, use Followning command to installl it.
CentOS/RHEL 7 64bit: # rpm -Uvh http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-5.noarch.rpm CentOS/RHEL 6 64bit: # rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm CentOS/RHEL 6, 32 Bit: # rpm -Uvh http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm CentOS/RHEL 5 64bit: # rpm -Uvh http://dl.fedoraproject.org/pub/epel/5/x86_64/epel-release-5-4.noarch.rpm CentOS/RHEL 5, 32 Bit: # rpm -Uvh http://dl.fedoraproject.org/pub/epel/5/i386/epel-release-5-4.noarch.rpm
Install DenyHosts:
Once Epel repository added, install the package using following YUM command:
# yum --enablerepo=epel install denyhosts OR # yum install denyhosts
Whitelist IP Addresses:
Once the Denyhosts installed, make sure that your own IP address is whitelist, so you will never get locked out.
# vim /etc/hosts.allow
Below the description, add the each IP address one-by-one on a separate line, that you never want to block. The format should be as follows. # # hosts.allow This file contains access rules which are used to # allow or deny connections to network services that # either use the tcp_wrappers library or that have been # started through a tcp_wrappers-enabled xinetd. # # See 'man 5 hosts_options' and 'man 5 hosts_access' # for information on rule syntax. # See 'man tcpd' for information on tcp_wrappers # sshd: 28.119.25.113 sshd: 28.119.25.114 sshd: 28.119.25.115 sshd: 28.119.25.116
Blacklist IP Addresses:
Add the IP address which you want to block. Make sure that IP address is in the blacklist is not your IP address.
# vim /etc/hosts.deny
# # hosts.deny This file contains access rules which are used to # deny connections to network services that either use # the tcp_wrappers library or that have been # started through a tcp_wrappers-enabled xinetd. # # The rules in this file can also be set up in # /etc/hosts.allow with a 'deny' option instead. # # See 'man 5 hosts_options' and 'man 5 hosts_access' # for information on rule syntax. # See 'man tcpd' for information on tcp_wrappers # sshd: 28.119.25.117 sshd: 28.119.25.118
Configuring DenyHosts for Email Alerts:
We can send email alerts about suspicious logins and restricted hosts by making changes in a DenyHosts configuration file. Find ADMIN_EMAIL and add your email address here to receive email alerts about suspicious logins (for multiple email alerts use comma separated).
# vim /etc/denyhosts.conf
############ DENYHOSTS REQUIRED SETTINGS ############ SECURE_LOG = /var/log/secure HOSTS_DENY = /etc/hosts.deny BLOCK_SERVICE = sshd DENY_THRESHOLD_INVALID = 5 DENY_THRESHOLD_VALID = 10 DENY_THRESHOLD_ROOT = 1 DENY_THRESHOLD_RESTRICTED = 1 WORK_DIR = /var/lib/denyhosts SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES HOSTNAME_LOOKUP=YES LOCK_FILE = /var/lock/subsys/denyhosts ############ DENYHOSTS OPTIONAL SETTINGS ############ ADMIN_EMAIL = support@techoism.com SMTP_HOST = localhost SMTP_PORT = 25 SMTP_FROM = DenyHostsSMTP_SUBJECT = DenyHosts Daily Report ############ DENYHOSTS OPTIONAL SETTINGS ############ DAEMON_LOG = /var/log/denyhosts DAEMON_SLEEP = 30s DAEMON_PURGE = 1h
Start DenyHosts Service:
Once you’ve finished with your configuration, restart the denyhosts service for new changes. We additionally add the denyhosts service to system start-up.
For CentOS/RHEL 5/6 # chkconfig denyhosts on # service denyhosts start For CentOS/RHEL 7 # systemctl enable denyhosts # systemctl start denyhosts
DenyHosts Logs file:
To watch denyhosts ssh logs for how many attackers and hackers are attempted to gain access to your server. Use the following command to view the real-time logs.
# tail -f /var/log/secure
Output:
Oct 1 03:26:38 srv sshd[2637]: refused connect from 28.119.25.117 (28.119.25.117) Oct 1 03:27:15 srv sshd[2674]: refused connect from 28.119.25.117 (28.119.25.117) Oct 1 03:28:07 srv sshd[2695]: Connection closed by 127.0.0.1 Oct 1 03:36:00 srv sshd[2637]: refused connect from 28.119.25.118 (28.119.25.117) Oct 1 03:36:10 srv sshd[2674]: refused connect from 28.119.25.118 (28.119.25.118) Oct 1 03:36:15 srv sshd[2695]: Connection closed by 127.0.0.1 Oct 1 03:37:39 srv sshd[2967]: Accepted password for root from 28.119.25.113 port 9271 ssh2 Oct 1 03:37:40 srv sshd[2967]: pam_unix(sshd:session): session opened for user root by (uid=0) Oct 1 03:38:10 srv sshd[2967]: Accepted password for root from 28.119.25.114 port 9272 ssh2 Oct 1 03:38:12 srv sshd[2967]: pam_unix(sshd:session): session opened for user root by (uid=0)
Remove Banned IP Address:
If you’ve ever blocked accidentally and want to remove that banned IP address. So first you need to stop the service.
For CentOS/RHEL 5/6 # service denyhosts stop For CentOS/RHEL 7 # systemctl stop denyhosts
To remove or delete banned IP address completely. You need to remove the IP address from the following files.
# vim /etc/hosts.deny # vim /var/lib/denyhosts/hosts # vim /var/lib/denyhosts/hosts-restricted # vim /var/lib/denyhosts/hosts-root # vim /var/lib/denyhosts/hosts-valid # vim /var/lib/denyhosts/users-hosts
After removing the banned IP Address, start the service again.
For CentOS/RHEL 5/6 # service denyhosts start For CentOS/RHEL 7 # systemctl start denyhosts
Enjoy it!