Securing Linux with denyhosts

Introduction

DenyHosts is a script intended to be run by Linux system administrators to help thwart SSH server attacks (also known as dictionary based attacks and brute force attacks). 

Installation and Configuration

Download and install denyhosts

Go to http://pkgs.repoforge.org/denyhosts/ and download http://pkgs.repoforge.org/denyhosts/denyhosts-2.6-5.el6.rf.noarch.rpm
wget http://pkgs.repoforge.org/denyhosts/denyhosts-2.6-5.el6.rf.noarch.rpm

Install package with following command.

rpm -ivh denyhosts-2.6-5.el6.rf.noarch.rpm

Configure known hosts or the network that do not rely on deny hosts. This means all the host on 192.168.1.0/24 boycott the hostdenys. If any host on 192.168.1.0/24 network types wrong password that host won't get blocked.

echo "SSHD: 192.168.1." >> /etc/hosts.allow

Restart the services with command below

/etc/init.d/denyhosts restart

Verify the denyhosts is running

ps ax | grep denyhost

Settings can be changed on /etc/denyhosts/denyhosts.cfg

PURGE_DENY = defines the deny_hosts entries to be purged after certain time.

# PURGE_DENY: removed HOSTS_DENY entries that are older than this time
#             when DenyHosts is invoked with the --purge flag
#
#      format is: i[dhwmy]
#      Where 'i' is an integer (eg. 7)
#            'm' = minutes
#            'h' = hours
#            'd' = days
#            'w' = weeks
#            'y' = years
#
# never purge:

DENY_THRESHOLD_INVALID = 5
# DENY_THRESHOLD_INVALID: block each host after the number of failed login
# attempts has exceeded this value.  This value applies to invalid
# user login attempts (eg. non-existent user accounts)

ADMIN_EMAIL=
SMTP_HOST = localhost
SMTP_PORT = 25
SMTP_FROM = DenyHosts <nobody@localhost>
SMTP_SUBJECT = DenyHosts Report

Verify current hosts.deny list

cat /etc/hosts.deny

Try ssh login with wrong password for 5 times
Now host entry can be seen on hosts.deny list

SSH to that server is blocked now.