How To Install Denyhost To Prevent SSH Attacks on Ubuntu

Byadmin

We show you step by step how to install Denyhost to prevent SSH attacks on Linux Ubuntu.

What is DenyHosts?

DenyHosts is a script that has been developed to be executed by system administrators to help stop SSH server attacks, attacks that we also know as dictionary-based attacks and brute force attacks.

To give us an idea of the number of attacks of this type that we can receive, just look at the /var/log/secure directory on RedHat or CentOS 7 or the /var/log/auth.log directory on Ubuntu or Debian:

Although these were merely attempts, in case anyone can access the system we could be facing a critical security situation.

Install DenyHosts in Ubuntu

To install DenyHosts in Ubuntu 17.10, we will execute the following line:

sudo apt install denyhosts

Add IP to Whitelist in Ubuntu

Remember that the whitelist is a list where you can add allowed elements so that a particular program does not detect them as a threat.

In this case, we must add our IP address, and that of the client computers, in order not to block access to the server, for this, we will edit the file /etc/hosts.allow using the desired editor in the following way:

sudo nano /etc/hosts.allow

There we will add the following syntax:

sshd: (IP1), (IP2), etc.

For example:

sshd: 192.168.0.19, 192.168.0.16

Save the changes using the following key combination Ctrl + O and exit the editor using Ctrl + X.

Configure DenyHosts using /etc/denyhosts.conf

In this case, as we use Ubuntu 17, the default execution mode is Daemon mode, therefore, the configuration file is /etc/denyhosts.conf which we must access to make the respective changes:

sudo nano /etc/denyhosts.conf

In this file we must validate that the following lines have these values:

SECURE_LOG = /var/log/auth.log
HOSTS_DENY = /etc/hosts.deny
BLOCK_SERVICE = sshd (Blocks only SSHD connections)
DENY_THRESHOLD_INVALID = 5
DENY_THRESHOLD_VALID = 10
DENY_THRESHOLD_ROOT = 1
DENY_THRESHOLD_RESTRICTED = 1

These last values determine the number of logins allowed.

Once validated these fields, save the changes.

Restart DenyHost Service

To apply the changes, it will be necessary to restart the service by executing:

sudo systemctl restart denyhosts.service

In case of not having Ubuntu systems not based on Systemd we will execute the following:

sudo /etc/init.d/denyhosts restart

If we want to run this service from the start of Ubuntu 17 we will execute the following:

sudo systemctl enable denyhosts.service

Analyze Events in /var/log/denyhosts

To access the current DenyHosts events we can execute one of the following commands:

sudo grep 'something' /var/log/denyhosts
sudo tail -f /var/log/denyhosts

See the List of Blocked Computers

To visualize the IP addresses that have tried to access via SSH we can execute the following line:

sudo cat /etc/hosts.deny

Something important to keep in mind is that DenyHosts is only compatible with Ipv4 but not with IPv6.
Another way to see the IP addresses that have been blocked by the DenyHosts application is using IPTables like this:

sudo iptables -L INPUT -n -v
sudo iptables -L INPUT -n -v | more
sudo iptables -L INPUT -n -v | grep DROP

As we have seen, DenyHosts allows us to have a central control over each computer that tries to connect to our system and in this way it will be possible to carry out a better administrative task.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *