March 23rd, 2011 
Tum. 
Restricting SSH Access Attempts Using DenyHosts
The basic technics of hackers that use is “brust force”, it’s essentially guessing password from dictionary.
Well, in this article I will introduce method to prevent “brust force” technics by installing the DenyHosts which can block the IP address from who try to guessing password login. The DenyHost reads ssh log file to verify that the IP which is trying to login to the system, if the IP address has login failed in many times it would block the IP address with TCP Wrapper.
Step #1: Enable Rpmforge Repo
Red Hat Enterprise 5 64bit
[root@Ezylinux ~]# rpm -ivh http://apt.sw.be/redhat/el5/en/x86_64/rpmforge/RPMS/rpmforge-release-0.3.6-1.el5.rf.x86_64.rpm
Red Hat Enterprise 5 32bit
[root@Ezylinux ~]# rpm -ivh http://apt.sw.be/redhat/el5/en/i386/rpmforge/RPMS/rpmforge-release-0.3.6-1.el5.rf.i386.rpm
Red Hat Enterprise 6 64bit
[root@Ezylinux ~]# rpm -ivh http://apt.sw.be/redhat/el6/en/x86_64/rpmforge/RPMS/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm
Red Hat Enterprise 6 32bit
[root@Ezylinux ~]# rpm -ivh http://apt.sw.be/redhat/el6/en/i386/rpmforge/RPMS/rpmforge-release-0.5.2-2.el6.rf.i686.rpm
Step #2: Install Denyhosts
[root@Ezylinux ~]# yum -y install denyhosts
Step #3: Configure Denyhosts
The default configuration file is located at /etc/denyhosts/denyhosts.cfg.
Here is my own sample configuration file for RHEL / CentOS
SECURE_LOG = /var/log/secure HOSTS_DENY = /etc/hosts.deny PURGE_DENY = 7d BLOCK_SERVICE = sshd DENY_THRESHOLD_INVALID = 3 DENY_THRESHOLD_VALID = 5 DENY_THRESHOLD_ROOT = 2 DENY_THRESHOLD_RESTRICTED = 1 WORK_DIR = /usr/share/denyhosts/data SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES HOSTNAME_LOOKUP=YES LOCK_FILE = /var/lock/subsys/denyhosts ADMIN_EMAIL = MyEmail@ezylinux.com SMTP_HOST = localhost SMTP_PORT = 25 SMTP_FROM = DenyHosts SMTP_SUBJECT = DenyHosts Report AGE_RESET_VALID=5d AGE_RESET_ROOT=25d AGE_RESET_RESTRICTED=25d AGE_RESET_INVALID=10d DAEMON_LOG = /var/log/denyhosts DAEMON_SLEEP = 30s DAEMON_PURGE = 1h
If you would like to receive emails regarding newly restricted hosts and suspicious logins, set the ADMIN_EMAIL perameter to match your email address. For multiple email addresses can be delimited by a comma, eg:
ADMIN_EMAIL = Email1@ezylinux.com, Mail2@ezylinux.com
Step #4: Turn On Denyhosts
[root@Ezylinux ~]# chkconfig denyhosts on [root@Ezylinux ~]# /etc/init.d/denyhosts start starting DenyHosts: /usr/bin/env python /usr/bin/denyhosts.py --daemon --config=/etc/denyhosts/denyhosts.cfg
Posted in 
Tags: