Page 2 of 4 FirstFirst 1234 LastLast
Results 11 to 20 of 32

Thread: HOWTO: Installing DenyHosts

  1. #11
    Join Date
    May 2006
    Beans
    3

    Re: HOWTO: Installing DenyHosts

    Well i set it all up and im waiting for the attackers.. a client of mine gets over 400 attacks a day from a cheeseegg.br or something.

  2. #12
    Join Date
    Oct 2006
    Beans
    255
    Distro
    The Feisty Fawn Testing

    Re: HOWTO: Installing DenyHosts

    Excellent, thank you, I've been sitting around watching hundreds of failed login attempts every hour and beginning to get annoyed just on the principle of the thing (my password is pretty obscure, and they haven't even gotten the user name right yet).

    It took this one IP address all of about a quarter of a second to end up in hosts.deny

    Now maybe I can stop worrying about running out of hard drive space from all these log files.....

  3. #13
    Join Date
    Apr 2006
    Beans
    3,905

    Re: HOWTO: Installing DenyHosts

    Hi dbott67,


    Ubuntu 7.04 lamp server amd64


    Just came across your guide on searching doc to create hosts.deny and hosts.allow which can't be found on the box. According to your guide the 2 files created are empty. Where can I find their scripts.

    TIA


    B.R.
    satimis

  4. #14
    Join Date
    Mar 2005
    Location
    Canada
    Beans
    1,595

    Re: HOWTO: Installing DenyHosts

    Quote Originally Posted by satimis View Post
    ...According to your guide the 2 files created are empty....
    Yes, the 2 files are empty. The DenyHosts script will put any "attacking" hosts in hosts.deny automatically, so you don't need to put anything in there yourself. If you've never been attacked, there won't be anything in the file.

    As for the hosts.allow, you would put any hosts in there that you do not want to blacklist (i.e. any trusted IP address). This would prevent you from getting blacklisted while at work or school if you mis-typed the password more than a few times.

    If I'm not explaining myself very well, please let me know.

    -Dave

  5. #15
    Join Date
    Apr 2006
    Beans
    3,905

    Re: HOWTO: Installing DenyHosts

    Hi Dave,


    Tks for your advice.


    Quote Originally Posted by dbott67 View Post
    Yes, the 2 files are empty. The DenyHosts script will put any "attacking" hosts in hosts.deny automatically, so you don't need to put anything in there yourself. If you've never been attacked, there won't be anything in the file.
    Noted.

    What will be the result if entering "ALL:ALL" on hosts.deny?

    As for the hosts.allow, you would put any hosts in there that you do not want to blacklist (i.e. any trusted IP address). This would prevent you from getting blacklisted while at work or school if you mis-typed the password more than a few times.
    Noted and thanks.

    If I'm not explaining myself very well, please let me know.
    It is quite clear.

    B.R.
    satimis

  6. #16
    Join Date
    Mar 2005
    Location
    Canada
    Beans
    1,595

    Re: HOWTO: Installing DenyHosts

    Quote Originally Posted by satimis View Post
    What will be the result if entering "ALL:ALL" on hosts.deny?
    It would deny access to all services for all hosts. If you wanted to be able to block everyone, yet still allow yourself in you would need to create an exception or add yourself to hosts.allow.

    Here's a sample config I use on my RHEL server at work:
    Code:
    [root@hip ~]# cat /etc/hosts.allow 
    #
    # hosts.allow   This file describes the names of the hosts which are
    #               allowed to use the local INET services, as decided
    #               by the '/usr/sbin/tcpd' server.
    #
    sshd: 127.0.0.1
    
    # Domain
    sshd: .my.work.domain.com
    
    # Firewall
    sshd: ccc.ddd.244.114
    
    # Vendor Tech Support IPs
    sshd: xxx.yyy.247.106, aaa.bbb.158.10
    
    # DBott from home
    sshd: *.my.isp.com
    Code:
    [root@hip ~]# cat /etc/hosts.deny
    #
    # hosts.deny    This file describes the names of the hosts which are
    #               *not* allowed to use the local INET services, as decided
    #               by the '/usr/sbin/tcpd' server.
    #
    # The portmap line is redundant, but it is left to remind you that
    # the new secure portmap uses hosts.deny and hosts.allow.  In particular
    # you should know that NFS uses portmap!
    
    
    sshd:ALL EXCEPT localhost \
    : spawn /bin/echo `/bin/date` access denied for %a %h>>/var/log/sshd.log
    Before changing the hosts.allow and hosts.deny, my log file was filled with brute force attempts to SSH in. Since enabling this, this is what my log file looks like now:
    Code:
    Fri Aug 10 08:47:17 EDT 2007 access denied for ::ffff:64.76.204.99 mail.intervida.org.pe
    Fri Aug 10 09:02:13 EDT 2007 access denied for ::ffff:64.76.204.99 mail.intervida.org.pe
    Fri Aug 10 09:20:09 EDT 2007 access denied for ::ffff:64.76.204.99 mail.intervida.org.pe
    Fri Aug 10 09:30:11 EDT 2007 access denied for ::ffff:64.76.204.99 mail.intervida.org.pe
    Fri Aug 10 17:14:41 EDT 2007 access denied for ::ffff:218.55.193.136 ::ffff:218.55.193.136
    Sat Aug 11 17:30:57 EDT 2007 access denied for ::ffff:131.104.48.173 potter.cis.uoguelph.ca
    Sat Aug 11 17:38:34 EDT 2007 access denied for ::ffff:131.104.48.173 potter.cis.uoguelph.ca
    Sat Aug 11 22:31:09 EDT 2007 access denied for ::ffff:24.158.163.108 24-158-163-108.dhcp.jcsn.tn.charter.com
    Sat Aug 11 22:31:37 EDT 2007 access denied for ::ffff:24.158.163.108 24-158-163-108.dhcp.jcsn.tn.charter.com
    Sun Aug 12 04:22:18 EDT 2007 access denied for ::ffff:222.73.231.121 ::ffff:222.73.231.121
    Sun Aug 12 04:27:15 EDT 2007 access denied for ::ffff:222.73.231.121 ::ffff:222.73.231.121
    Mon Aug 13 05:03:30 EDT 2007 access denied for ::ffff:222.90.234.68 ::ffff:222.90.234.68
    Mon Aug 13 16:44:44 EDT 2007 access denied for ::ffff:218.95.228.152 ::ffff:218.95.228.152
    Mon Aug 13 17:04:35 EDT 2007 access denied for ::ffff:218.95.228.152 ::ffff:218.95.228.152
    Tue Aug 14 06:21:26 EDT 2007 access denied for ::ffff:222.73.104.213 ::ffff:222.73.104.213
    Tue Aug 14 08:42:44 EDT 2007 access denied for ::ffff:222.135.144.23 ::ffff:222.135.144.23
    Tue Aug 14 09:48:43 EDT 2007 access denied for ::ffff:222.135.144.23 ::ffff:222.135.144.23
    Tue Aug 14 13:02:49 EDT 2007 access denied for ::ffff:59.106.14.41 ::ffff:59.106.14.41
    Tue Aug 14 13:13:26 EDT 2007 access denied for ::ffff:59.106.14.41 ::ffff:59.106.14.41
    Tue Aug 14 13:39:13 EDT 2007 access denied for ::ffff:61.146.178.13 ::ffff:61.146.178.13
    Tue Aug 14 18:31:25 EDT 2007 access denied for ::ffff:222.168.102.67 ::ffff:222.168.102.67
    Tue Aug 14 23:00:02 EDT 2007 access denied for ::ffff:82.103.65.2 server.transcapital.bg
    Wed Aug 15 13:50:51 EDT 2007 access denied for ::ffff:71.231.123.145 c-71-231-123-145.hsd1.wa.comcast.net
    Wed Aug 15 13:59:22 EDT 2007 access denied for ::ffff:71.231.123.145 c-71-231-123-145.hsd1.wa.comcast.net
    Wed Aug 15 17:30:52 EDT 2007 access denied for ::ffff:158.75.59.5 opty.xlo.torun.pl
    Thu Aug 16 01:06:42 EDT 2007 access denied for ::ffff:222.171.127.162 ::ffff:222.171.127.162
    Thu Aug 16 01:09:32 EDT 2007 access denied for ::ffff:222.171.127.162 ::ffff:222.171.127.162
    Fri Aug 17 10:54:09 EDT 2007 access denied for ::ffff:211.93.0.213 ::ffff:211.93.0.213
    Fri Aug 17 20:14:06 EDT 2007 access denied for ::ffff:202.201.241.243 ::ffff:202.201.241.243
    Fri Aug 17 20:16:08 EDT 2007 access denied for ::ffff:202.201.241.243 ::ffff:202.201.241.243
    Sat Aug 18 16:29:54 EDT 2007 access denied for ::ffff:202.123.27.159 ::ffff:202.123.27.159
    Sat Aug 18 16:55:23 EDT 2007 access denied for ::ffff:202.123.27.159 ::ffff:202.123.27.159
    Sun Aug 19 02:00:45 EDT 2007 access denied for ::ffff:211.200.44.249 ::ffff:211.200.44.249
    Sun Aug 19 02:06:02 EDT 2007 access denied for ::ffff:211.200.44.249 ::ffff:211.200.44.249
    Mon Aug 20 01:37:49 EDT 2007 access denied for ::ffff:211.78.3.69 dns.dotking.com.tw
    Mon Aug 20 02:12:07 EDT 2007 access denied for ::ffff:211.78.3.69 dns.dotking.com.tw
    Tue Aug 21 01:15:08 EDT 2007 access denied for ::ffff:58.47.168.236 ::ffff:58.47.168.236
    Tue Aug 21 01:17:43 EDT 2007 access denied for ::ffff:58.47.168.236 ::ffff:58.47.168.236
    Tue Aug 21 03:32:58 EDT 2007 access denied for ::ffff:60.28.23.21 ::ffff:60.28.23.21
    Wed Aug 22 06:15:38 EDT 2007 access denied for ::ffff:202.107.245.4 ::ffff:202.107.245.4
    Wed Aug 22 06:49:04 EDT 2007 access denied for ::ffff:202.107.245.4 ::ffff:202.107.245.4
    Thu Aug 23 03:16:31 EDT 2007 access denied for ::ffff:200.7.97.194 mail.uniqueyacht.com
    Thu Aug 23 03:17:53 EDT 2007 access denied for ::ffff:200.7.97.194 ::ffff:200.7.97.194
    Thu Aug 23 15:41:22 EDT 2007 access denied for ::ffff:200.205.221.114 ::ffff:200.205.221.114
    Thu Aug 23 15:45:26 EDT 2007 access denied for ::ffff:200.205.221.114 ::ffff:200.205.221.114
    Fri Aug 24 14:12:53 EDT 2007 access denied for ::ffff:222.122.26.60 ::ffff:222.122.26.60
    -Dave
    Last edited by dbott67; August 25th, 2007 at 02:02 PM.

  7. #17
    Join Date
    Apr 2006
    Beans
    3,905

    Re: HOWTO: Installing DenyHosts

    Quote Originally Posted by dbott67 View Post
    It would deny access to all services for all hosts. If you wanted to be able to block everyone, yet still allow yourself in you would need to create an exception or add yourself to hosts.allow.

    Here's a sample config I use on my RHEL server at work:
    Code:
    [root@hip ~]# cat /etc/hosts.allow 
    #
    # hosts.allow   This file describes the names of the hosts which are
    #               allowed to use the local INET services, as decided
    #               by the '/usr/sbin/tcpd' server.
    #
    sshd: 127.0.0.1
    
    # Domain
    sshd: .my.work.domain.com
    
    # Firewall
    sshd: ccc.ddd.244.114
    
    # Vendor Tech Support IPs
    sshd: xxx.yyy.247.106, aaa.bbb.158.10
    
    # DBott from home
    sshd: *.my.isp.com
    What is #Firewall
    sshd: ccc.ddd.244.144 ???

    How to find it? I don't have Firewall box.


    Code:
    [root@hip ~]# cat /etc/hosts.deny
    #
    # hosts.deny    This file describes the names of the hosts which are
    #               *not* allowed to use the local INET services, as decided
    #               by the '/usr/sbin/tcpd' server.
    #
    # The portmap line is redundant, but it is left to remind you that
    # the new secure portmap uses hosts.deny and hosts.allow.  In particular
    # you should know that NFS uses portmap!
    
    
    sshd:ALL EXCEPT localhost \
    : spawn /bin/echo `/bin/date` access denied for %a %h>>/var/log/sshd.log
    I suppose;
    Code:
    sshd:ALL EXCEPT localhost \
    : spawn /bin/echo `/bin/date` access denied for %a %h>>/var/log/sshd.log
    in 2 lines? Tks

    I'll test it later. I'm not on that server.

    satimis

  8. #18
    Join Date
    Mar 2005
    Location
    Canada
    Beans
    1,595

    Re: HOWTO: Installing DenyHosts

    The Firewall in question is my work firewall. The server running Redhat is in the DMZ, so I added the firewall IP so that I could access from any machine on the internal LAN.

    -Dave

  9. #19
    Join Date
    Apr 2006
    Beans
    3,905

    Re: HOWTO: Installing DenyHosts

    Quote Originally Posted by dbott67 View Post
    The Firewall in question is my work firewall. The server running Redhat is in the DMZ, so I added the firewall IP so that I could access from any machine on the internal LAN.
    Noted.


    Performed following test;

    Edited hosts.deny and hosts.allow.

    $ cat /etc/host.allow
    Code:
    sshd: 127.0.0.1
    
    # Domain
    sshd: .satimis.com
    
    # Pacific from home
    sshd: *.pacific.net.hk
    Why it needs "."(dot) infront of "satimis.com"


    $ cat /etc/host.deny
    Code:
    #
    # hosts.deny    This file describes the names of the hosts which are
    #               *not* allowed to use the local INET services, as decided
    #               by the '/usr/sbin/tcpd' server.
    #
    # The portmap line is redundant, but it is left to remind you that
    # the new secure portmap uses hosts.deny and hosts.allow.  In particular
    # you should know that NFS uses portmap!
    
    
    sshd:ALL EXCEPT localhost \
    : spawn /bin/echo `/bin/date` access denied for %a %h>>/var/log/sshd.log
    $ sudo /etc/init.d/denyhosts stop
    Code:
     * Stopping DenyHosts denyhosts                                          [ OK ]
    $ sudo denyhosts --purge
    No printout

    $ sudo /etc/init.d/denyhosts start
    Code:
     * Starting DenyHosts denyhosts                                          [ OK ]
    $ ls -al /var/log/ | grep sshd.log
    No printout. The log file can't be found


    satimis

  10. #20
    Join Date
    Mar 2005
    Location
    Canada
    Beans
    1,595

    Re: HOWTO: Installing DenyHosts

    Quote Originally Posted by satimis
    Why it needs "."(dot) infront of "satimis.com"
    Putting the dot in front would allow any host from my work domain to be allowed in. From the TCP Wrappers Configuration File Site:
    Section 16.2.1.2

    Hostname beginning with a period (.) — Placing a period at the beginning of a hostname, matches all hosts sharing the listed components of the name. The following example applies to any host within the example.com domain:
    ALL : .example.com
    Quote Originally Posted by satimis
    $ sudo denyhosts --purge
    No printout
    Purging the hosts.deny file does not issue any output, however, if you check the file before & after, you will notice that any logged IP address that is older than the PURGE_DENY value will be removed.

    Quote Originally Posted by satimis
    $ ls -al /var/log/ | grep sshd.log

    No printout. The log file can't be found
    For Debian-based distros (such as Ubuntu) the sshd is logged in /var/log/auth.log.

    Hope this helps.

    -Dave

Page 2 of 4 FirstFirst 1234 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •