DenyHosts

From ArchWiki

Jump to: navigation, search

Contents

DenyHosts

DenyHosts can be used in general to protect your server or home computer of SSH DoS Attacks. The principle it works is simple. It parses the /var/log/auth.log for incorrect login tries and similar, and disables hosts with too many attempts.

The following sections will describe how to set up DenyHosts properly on Arch Linux, and will give hints about how to configure it for a local or a remote system (as a virtual server).

Installation

Simple as it is, you can install DenyHosts using pacman, with the following command:

pacman -S denyhosts

Configuration

First of all, the configuration file is located in

/etc/denyhosts/denyhosts.cfg

There you can set the most configuration options. Please consider, that DenyHosts also saves the hosts found in the auth.log in a separate directory, which is scanned every time you start the program. Therefore, just deleting the auth.log won't be of any help. The standard directory used in the denyhosts configuration is

/var/lib/denyhosts

For a fresh installation, I recommend to delete the former authentication logfile (or rotate it)

sudo /etc/rc.d/syslog-ng stop
sudo cp /var/log/auth.log /var/log/auth.log.old
sudo echo "" > /var/log/auth.log
sudo /etc/rc.d/syslog-ng start

Furthermore, I recommend to use a separate file for denying SSH. Therefore, create a own file, as in the following example:

sudo touch /etc/hosts.evil

Afterwards, you will have to change the configuration file (as mentioned above)

vi /etc/denyhosts/denyhosts.cfg

Find the line where the hosts.deny file is a standard entry, and edit it to your newly created "evil" file:

HOSTS_DENY = /etc/hosts.evil

Within this step, DenyHosts will save all hosts which are denied to this file. For a proper configuration, I will set up the /etc/hosts.deny as a "standard", means denying everything EXCEPT the values in hosts.allow:

#
# /etc/hosts.deny
#

ALL: ALL: DENY

# End of file

The hosts.allow will also be adjusted, to allow the connect from any ssh client, except the ones in our newly created hosts.evil

#
# /etc/hosts.allow
#
sshd: ALL EXCEPT /etc/hosts.evil
# End of file

Remote System

If you configure DenyHosts on a remote system, where you do not have direct access, I recommend to set an option in DenyHosts to purge values after a certain period of time (in example: 1 week) Therefore, you need to edit your denyhosts.cfg once again, just in case you lock out yourself one day.

PURGE_DENY = 1w

Starting DenyHosts

Simple as it is, the Arch Linux package ships with a rc script for DenyHosts.

sudo /etc/rc.d/denyhosts start

To start DenyHosts on every system startup, edit your rc.conf file, and add denyhosts. Note that the "..." are placeholders for other daemons started, and were chosen to point out the important entry only.

DAEMONS=(... ... ... ... denyhosts ... ... ... ...)

Additional Information

Personal tools