Sunday, April 4, 2010

Secure Your SSH Server with Denyhosts

As soon as you connect to the internet to do any of your daily tasks or connect your server to provide some service, it means that you are exposing your system to lots of threat and to people who are ready to play with your system just for fun or some personal interest.

SSH (Secure Shell) is one of the very common ways which is used to login to your machine and perform some tasks and which simply means that this is one of the gateway between hackers/crackers and your system.

So, most of the people would try different cracking techniques like Brute force or Dictionary attacks to gain access to your system with this service.

DenyHosts is a tool i use to secure my SSH server from these type of people. Written in python, this tool serves as a very active security guard and helps me to keep my system safe from lots of prying eyes.

Every day, I usually found at least couple of entries in the /etc/hosts.deny file. If you believe that your system operates on DHCP or no one could know your IP address, hence can’t launch any attack against your system, then this is the time to wake up.

Hackers have their scripts which don’t target a specific hosts or machine, they usually picks a network block and launches random attacks on all the machines available in that block and those scripts informs them as soon as they find something which could be of any interest to the hacker.

So which means that your machine is equally vulnerable to these attacks as much is mine.

What is Denyhosts:
DenyHosts is a python program that automatically blocks ssh attacks by adding entries to /etc/hosts.deny.

DenyHosts will also inform Linux administrators about offending hosts, attacked users and suspicious logins.

Installation:
Most of the time, there are two ways by which you can install a package, one is compile through source and other is to install by a package.

I will be explaining both here, so if you feel lazy (and don’t want to chase different locations for the dependencies), install it through package or else you could follow the source installation anytime.

Package Installation:
Package installation is pretty much simple. Usually I use my favorite tool aptitude to do the installation.

# aptitude install denyhosts -y

The package is not so big so it won’t take long for aptitude to search and install it. The package will install and configure on it’s own and get started to secure your system.

Source Installation:
I had already told you the easy way to install and configure the package, but still if you would like to opt the harder way, then download the source package from Denyhosts download.

Unzip and untar it and go into the Denyhosts directory.

# tar zxvf DenyHosts-2.6.tar.gz
# cd DenyHosts-2.6

and then use this simple command to install the package.

# python setup.py install

As you must know this, that installing the package from the source is quite a pain because you have to do all the configuration manually, instead of the way it was done automatically with the package.

Now go to the /usr/share/denyhosts directory and copy denyhosts.cfg-dist and daemon-control-dist to their respective to their non -dist version.

# cd /usr/share/denyhosts
# cp denyhosts.cfg-dist denyhosts.cfg
# cp daemon-control-dist daemon-control

I am sure you want the service to be started automatic at the next reboot. To do the same follow the steps given below.

# chown root daemon-control
# chmod 700 daemon-control
# ln -s /usr/share/denyhosts/daemon-control /etc/init.d/denyhosts
# chkconfig –add denyhosts

Now use this command to start the service

# /etc/init.d/denyhosts start

Denyhosts is now running and safe guarding your system from most of the attacks and will also start automatically at the next reboot.

Configuration:
The package installed now is with the default configuration and which works pretty much well for most of the cases, but there are also chances where you may be needing something different for yourself.

denyhosts.cfg is the file which you must be looking for if you would like to do some changes. The file is pretty much self explanatory, there are different parameters given inside the file which you can change and configure according to your needs. But there is one parameter which is worth mentioning.

BLOCK_SERVICE: This parameter is used by Denyhosts to block the listed services for the offenders. By default it will block the “ssh” service.

But if needed that can be changed to list of services or to “ALL” services. Simple put the parameter like this “#BLOCK_SERVICE = ALL” to block all services for those who are trying to mess up with your system.

But be CAREFUL, by mistake you could possibly block some of your clients with this.

Like if someone is trying some attacks from a company network, and you have have blocked all the services for that IP, then by mistake you are blocking services like HTTP/MAIL for all the people of that company.

There are various other parameters which can be changed and configured according to your needs like from where you should read the logs (SECURE_LOG), after how many days you purge an entry from the deny file (PURGE_DENY), after how many tries an IP would be put into the deny files, configuring Denyhosts to send you information and lot more. Have fun browsing through the config file.

Obviously, there are lots of other advance features in this software like Synchronization, means uploading the blacklisted hosts to a central server and downloading blacklists from other DenyHosts users which are using this service around the globe, but this is something i won’t be explaining here and will leave it for you to explore.

Here, I am not saying that Denyhosts will make your system completely secure but this is a very small piece of work which could give you great peace of mind.

Small configuration and your system will be safe from lots of un-wanted activities. So, I believe everyone must be using this to secure their system.

If not then drop an email/comment and I would like to hear the reason for the same.

No comments:

Post a Comment