In association with heise online


By default the DenyHosts Python script, which is available as an Ubuntu package, checks the /var/log/auth.log syslog fie every 30 seconds for suspicious-looking SSH login attempts (DAEMON_SLEEP = 30s) and adds any dodgy IP addresses it finds to the /etc/hosts.deny file. The number of failed login attempts required before an IP address is added to the file is set in /etc/denyhosts.conf. This file allows users to set separate thresholds for failed logins with non-existent user names (DENY_THRESHOLD_INVALID) and for logins with a valid user name, but the wrong password (DENY_THRESHOLD_VALID). This allows the script to react more quickly to an attacker trying out user names (legitimate users rarely enter the wrong user name) than to a user entering the wrong password.

Users can add results from other people's systems to the list of blocked IP addresses determined from auth.log. This cloud service, which has long been a DenyHosts feature, is based on a central record of data gathered by other DenyHosts clients (SYNC_DOWNLOAD = yes). Users may also, if they wish, forward data collected on their own systems to the DenyHost server (SYNC_UPLOAD = yes). In tests, the server transferred 50 IP addresses after each (user-specified) 15 minute interval for the client to add to /etc/hosts.deny.

The current version 2.6 is quick to install using sudo apt-get install denyhosts. DenyHosts runs straight away as a daemon in the background and starts automatically whenever the system is restarted. Users can safely stick with the default configuration – the only change we made was to reduce the number of failed login attempts permitted for valid accounts to 4. DenyHosts is not limited to SSH, in principle it can also protect other services which require a login or authentication such as FTP, Telnet and SMTP. In this case the service must either be started via (x)inetd or be linked against libwrap.

With the default settings, the deny-hosts file will grow continuously, which is of course highly undesirable, particularly where the cloud service is being used. DenyHosts can, however, be configured so that IP addresses which find their way into the list are deleted after a set interval and can once more attempt to establish a connection. The option PURGE_DENY = 1d, for example, sets this interval to one day. The option DAEMON_PURGE = 1d causes DenyHosts to automatically empty the list once a day. Alternatively, DenyHosts can be stopped and all existing entries purged manually using sudo denyhosts --purge. Just don't forget to restart DenyHosts afterwards.

Users wanting to try out DenyHosts on older (Ubuntu) systems should be aware that the /etc/hosts.allow and /etc/hosts.deny files are not always present on the system by default, which can cause errors when DenyHosts is run. It is simple enough to create them (with root privileges): touch /etc/hosts.deny.

Next: fail2ban

Print Version | Permalink:
  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit