HOWTO: Installing DenyHosts

[satimis]

Putting the dot in front would allow any host from my work domain to be allowed in. From the TCP Wrappers Configuration File Site:



Purging the hosts.deny file does not issue any output, however, if you check the file before & after, you will notice that any logged IP address that is older than the PURGE_DENY value will be removed.

All noted. Tks

For Debian-based distros (such as Ubuntu) the sshd is logged in /var/log/auth.log.

I got it.

$ tail -f /var/log/auth.log

Code:

Aug 27 23:17:01 ubuntu CRON[5157]: (pam_unix) session closed for user root
Aug 27 23:39:01 ubuntu CRON[5246]: (pam_unix) session opened for user root by (uid=0)
Aug 27 23:39:01 ubuntu CRON[5246]: (pam_unix) session closed for user root
Aug 27 23:49:54 ubuntu sudo:  satimis : TTY=tty1 ; PWD=/home/satimis ; USER=root ; COMMAND=/sbin/shutdown -h now
Aug 28 09:06:21 ubuntu sshd[4655]: Server listening on 0.0.0.0 port 22.
Aug 28 09:09:01 ubuntu CRON[4826]: (pam_unix) session opened for user root by (uid=0)
Aug 28 09:09:02 ubuntu CRON[4826]: (pam_unix) session closed for user root
Aug 28 09:09:51 ubuntu login[4336]: (pam_unix) session opened for user satimis by (uid=0)
Aug 28 09:17:01 ubuntu CRON[4907]: (pam_unix) session opened for user root by (uid=0)
Aug 28 09:17:01 ubuntu CRON[4907]: (pam_unix) session closed for user root

B.R.
satimis

[hebetude]

Here's a little off topic question...

Let's say I want to make a world map of all my blocked IPs based on geographical location (they're all china IPs but I do have 1 from italy!). Anybody know of some nifty tools to help me make this?

[swoosh]

Hi,

May I know what messages should I expect from

tail -f -s3 /etc/hosts.deny

if I attempt a simulated internal attack on my ssh?

I have attempted few tries but nothing is logged. What can I do to see some failed attempts?

Thanks.

[dbott67]

Hi,

May I know what messages should I expect from



if I attempt a simulated internal attack on my ssh?

I have attempted few tries but nothing is logged. What can I do to see some failed attempts?

Thanks.

You should see something like this:

Code:

dbott@feisty:~$ tail -f -s3 /etc/hosts.deny
# DenyHosts: Thu Oct 18 22:34:31 2007 | sshd: 192.168.1.107
sshd: 192.168.1.107

If you don't get anything showing up after a few attempts, make sure that DenyHosts is running:

Code:

dbott@feisty:~$ ps aux | grep deny
dbott     5007  0.0  0.0   2884   752 pts/0    R+   22:36   0:00 grep deny
root     20631  0.0  0.5   8336  4760 ?        SN   Oct14   0:00 python /usr/sbin/denyhosts --daemon --config=/etc/denyhosts.conf --config=/etc/denyhosts.conf

Also make sure that the auth.log file shows the attempts:

Code:

dbott@feisty:~$ cat /var/log/auth.log | grep sshd
Oct 18 22:33:09 feisty sshd[4851]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.107  user=root
Oct 18 22:33:11 feisty sshd[4851]: Failed password for root from 192.168.1.107 port 1482 ssh2
Oct 18 22:34:03 feisty sshd[4889]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.107  user=root
Oct 18 22:34:04 feisty sshd[4889]: Failed password for root from 192.168.1.107 port 1483 ssh2
Oct 18 22:34:34 feisty sshd[4909]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.107  user=root
Oct 18 22:34:36 feisty sshd[4909]: Failed password for root from 192.168.1.107 port 1484 ssh2
Oct 18 22:35:13 feisty sshd[4909]: Failed password for root from 192.168.1.107 port 1484 ssh2
Oct 18 22:36:24 feisty sshd[4909]: fatal: Timeout before authentication for 192.168.1.107

-Dave

[dbott67]

Here's a little off topic question...

Let's say I want to make a world map of all my blocked IPs based on geographical location (they're all china IPs but I do have 1 from italy!). Anybody know of some nifty tools to help me make this?

There are sites out there that offer software that can do this, such as http://www.ip2location.com/ and other similar sites. I don't know if there are any open source IP - Geolocation projects out there, but I'm certain that someone familiar with the API for Google Maps can scrape the data from a service similar to the above and make a pretty cool mash-up.

-Dave

[mmistroni]

Hello,
followed this tutorial, worked like a charm. have blocked already 6 sites...
i was curious on couple of things:
1- somehow, denyhosts locked me out.... might be because i access (successfully though) my host every day?
2 - i'd like to block access also to port 25 as i noticed that i have many intruder trying to login to my mail server.
i have strong passwords, so i am not particularly worried - also because i am using VPS as a learning tool for configuring my own LInux server - but i'd like to discourage those intruders by locking them out

how will i do it? what is the correct syntax?

is it
BLOCK_SERVICES=sshd, smtp ?

i'd love to use BLOCK_SERVICES=ALL but i fear i will be locked out forever from my VPS (currently, i am using ssh to login)

anyone could give me some advices?

regards
marco

[hebetude]

Mine started locking me out when I upgraded to Hardy on my server. Don't know why, I checked the logs and didn't see 3 unsuccessful attempts (as I specified). Very disappointing it has worked great for months now.

[s4s]

how do is denyhosts disabled or removed when no longer needed?

ty a lot.

s4s

[berzerke]

When I tried to use denyhosts on Gutsy, it would give me the following on startup:

File "/usr/bin/denyhosts.py", line 5, in <module>
import DenyHosts.python_version
ImportError: No module named DenyHosts.python_version

In case anyone else has this issue, I found the fix. Edit the /etc/init.d/denyhosts file.
Change (or comment out)

PYTHON_BIN = /usr/bin/env python"

to

PYTHON_BIN = "/usr/bin/python2.4"

[osx]

I'm a little confused about allowing hosts. I installed denyhosts on an Ubuntu 6.06.1 server and tested it to make sure my IP would be blocked after the specified threshold. Now, I want to add my IP in the allowed list so that it never gets blocked again.

Some material I read says to create a file called "allowed-hosts" in WORK_DIR and others say to edit /etc/hosts.allow. I've tried both methods and I still cannot get back in from the IP that was blocked.

I'm running version 2.6 of DenyHosts.

What am I doing wrong? Is there a service I need to restart or something? Also, if "allowed-hosts" is the correct file, is the path /etc/allowed-hosts or /usr/share/denyhosts/allowed-hosts or something else?

Thanks.