DenyHosts

繁體中文版


2011/05/30

It has been a long time that I wanted to use DenyHosts to also block attacks on vsftpd. I have googled for answers, tried the suggestions but I never succeeded. So it is an on-off experiment.

As a last resort, I tried limiting ftp connections to my servers using iptables to 3 connections per minute. (for reference see: http://kevin.vanzonneveld.net/techblog/article/block_brute_force_attacks_with_iptables/). This works very well, but it does not block the attackers completely.

Recently, I again revisited the problem and I think I have finally found the answer. (for reference see: http://www.mail-archive.com/denyhosts-user@lists.sourceforge.net/msg00306.html).

Change the following in your /etc/denyhosts.conf:

BLOCK_SERVICE = sshd ==> BLOCK_SERVICE = ALL

And add the following:

SSHD_FORMAT_REGEX=.* (sshd.*:|\[sshd\]|vsftpd.*:) (?P.*)
USERDEF_FAILED_ENTRY_REGEX=authentication failure.* rhost=(?P\S+)\s+user=(?P\S+).*
USERDEF_FAILED_ENTRY_REGEX=authentication failure.* rhost=(?P\S+).*

and DenyHosts will start blacklisting vsftpd attackers too.


Quite recently, I have noticed a lot of sshd server attacks. To stop these attacks, I would manually add the IP addresses of the attackers to the iptables. But everyday, I keep on getting new attacks from different IPs. To add the IP addresses manually to the iptables is quite time consuming. I need a program that can help me stop these ssh attacks automatically. And DenyHosts is the answer.

From the DenyHosts FAQ:

What is DenyHosts?

DenyHosts is a Python script that analyzes the sshd server log messages to determine what hosts are attempting to hack into your system. It also determines what user accounts are being targeted. It keeps track of the frequency of attempts from each host.

Additionally, upon discovering a repeated attack host, the /etc/hosts.deny file is updated to prevent future break-in attempts from that host.

An email report can be sent to a system admin.

Installation and Configuration

Fedora 7, which I am using, supports denyhosts. So if you are using yum to install/update packages, just execute the command to install denyhosts to your system:

yum   install   denyhosts

Otherwise just download the package from the nearest mirror and install manually:

rpm   -Uvh   denyhosts-xx.xx.i386.rpm

Now that denyhosts is installed, you may edit /etc/denyhosts.conf if you desire. The defaults are okay.

You may also want to add your class c IP to /var/lib/denyhosts/allowed-hosts so that denyhosts will not block these IPs.

Now we can start denyhosts:

chkconfig   --add   denyhosts
chkconfig   denyhosts   on
service   denyhosts   start

Now denyhosts is running and protecting your server from malicious ssh attacks.


Fr. Visminlu Vicente L. Chua, S.J.
2005/08/17
Updated: 2011/05/30