Do you think your systems are secure? Install DenyHosts and you'll realize that you were in denial.
Exposing a system to the Internet means that you’ll soon (within hours) experience login attempts from random locations, from people you don’t know and from those with unclear motivations. DenyHosts is an SSH security tool in the form of a python script that helps prevent brute force and dictionary-based attacks against your systems. On my home system, I have at least one such attempt added to my /etc/hosts.deny file per day. I use DenyHosts to maintain that stealth watch over my insignificant system here in my dusty little corner of the Internet that I call home.
It amazes me to note how many hack attempts (806) I’ve had in the two years since I first installed DenyHosts. No, I don’t think I’m singled out, since no one could possibly know my ever-changing IP address with which to launch such an attack. I think that hackers script their hack attempts against entire IP networks and probably have an email notification alert them when they strike paydirt.
There are two ways to install DenyHosts on your system: from source and from package. Call me lazy but I prefer the package route over source anytime. Dependencies download with my package of choice and installation is automatic. Source installations often require me to seek out multiple dependencies that sometimes drag on for a day or two until I give up or try the installation on a different Linux distribution. My sage advice is to try your package manager first.
Package installation is simple. On my beloved Debian 5 system, I used:
$ sudo apt-get install denyhosts
The package search and download started in the usual way so I turned my attention elsewhere for a moment. When I glanced back at my Debian screen, the installation had completed and DenyHosts started. To my surprise, the latest version, 2.6.4, began protecting my system from unwanted SSH attacks without any intervention or assistance from me.
If you have to, or prefer to, use source for your installation, download the tarball from DenyHosts Downloads. Unzip, untar and cd into the DenyHosts source directory and issue the installation command:
$ sudo python setup.py install
Installing DenyHosts from source isn’t quite as automatic as it is from a package. From here, you’ll need to cd into /usr/share/denyhosts for some configuration fun.
In the /usr/share/denyhosts directory, you’ll find two files that need attention before starting the DenyHosts service: denyhosts.cfg-dist and daemon-control-dist. Copy each -dist file to a non -dist version.
Make these two changes to secure the DenyHosts startup command:
$ sudo chown root daemon-control
$ sudo chmod 700 daemon-control
To finish your DenyHosts setup, do the following:
$ sudo ln -s /usr/share/denyhosts/daemon-control /etc/init.d/denyhosts
$ sudo chkconfig --add denyhosts
$ sudo /etc/init.d/denyhosts start
The default configuraton works well for most situations but only monitors SSH attempts. DenyHosts blocks SSH access when a foreign host attempts an SSH login to your system by adding an entry to your /etc/hosts.deny using the format:sshd: 192.168.5.10.
However, if you want more security, there is one parameter worth special mention: BLOCK_SERVICE. Using the BLOCK_SERVICE parameter, you can block ALL services from that host. Uncomment the line: #BLOCK_SERVICE = ALL, comment the line: BLOCK_SERVICE = sshd and restart the DenyHosts service.
Please note that the source installation and the package installation place files in different locations but has no effect on functionality.
DenyHosts enhances your security efforts without a great amount of work for you or stress for your system. There’s one feature that bears mentioning but is beyond the scope of this article: Synchronization. DenyHosts allows you to upload your blacklisted hosts to a central server and download blacklists from other DenyHosts users from around the world. I use DenyHosts on every Linux system that I have administrative control over. There’s just no excuse to do otherwise.
Do you use DenyHosts? If so, write back and tell us.