DenyHosts is a Python script that analyzes the sshd server log messages to determine what hosts are attempting to hack into your system. It also determines what user accounts are being targeted. It keeps track of the frequency of attempts from each host. Additionally, upon discovering a repeated attack host, the /etc/hosts.deny file is updated to prevent future break-in attempts from that host. An email report can be sent to a system admin and you may be alarmed to see how many hackers attempted to gain access to your server.
In this article we will show you how to install and configure DenyHost on CentOS server.
– Parses /var/log/secure to find all login attempts and filters failed and successful attempts.
– Synchronization mode (new in 2.0) allows DenyHosts daemons the ability to share data via a centralized server to proactively thwart attacks.
– Can be run from the command line, cron or as a daemon (new in 0.9)
– Records all failed login attempts for the user and offending host
– For each host that exceeds a threshold count, records the evil host
– Keeps track of each non-existent user (eg. sdadasd) when a login attempt failed.
– Keeps track of each existing user (eg. root) when a login attempt failed.
– Keeps track of each offending host (with 0.8+ these hosts can be purged if the associated entry in /etc/hosts.deny is expired)
– Keeps track of suspicious logins (that is, logins that were successful for a host that had many login failures)
– Keeps track of the file offset, so that you can reparse the same file (/var/log/secure) continuously (until it is rotated).
– When the log file is rotated, the script will detect it and parse from the beginning.
– Appends /etc/hosts.deny and adds the newly banned hosts
– Optionally sends an email of newly banned hosts and suspicious logins.
– Keeps a history of all user, host, user/host combo and suspicious logins encountered which includes the data and number of corresponding failed login attempts.
– Maintains failed valid and invalid user login attempts in separate files, such that it is easy to see which valid user is under attack (which would give you the opportunity to remove the account, change the password or change it’s default shell to something like /sbin/nologin
– Upon each run, the script will load the previously saved data and re-use it to append new failures.
– Resolves IP addresses to hostnames, if available (new in v0.6.0).
– /etc/hosts.deny entries can be expired (purge) at a user specified time (new in 0.8)
– FreeBSD support (added in 0.7)
More information about DenyHost see on offical page.
Install and configure DenyHosts on CentOS
First we need to make sure that your server is fully up-to-date by running the following command:
$ yum update -y
With the server up-to-date, we can continue and install DenyHost on CentOS:
$ yum install epel.release -y
$ yum install denyhosts -y
We must make sure to allow your IP address to prevent yourself from being denied access. We do this editing the following:
$ nano /etc/hosts.allow
Add the following line all the way to the bottom of the description with your IP. In most cases, you can use this link to find your IP address.
Next we need to block everything by editing the following file:
$ nano /etc/hosts.deny
Add the following line all the way to the bottom of the description:
sshd: ALL **
Then we will save and restart DenyHost using the following command:
$ /etc/init.d/denyhosts restart
You can further configure any settings in the DenyHosts.conf file by going to the following and updating according to your preference.
$ nano /etc/denyhosts.conf
To check denyhosts ssh logs to know how many attackers and hackers are attempted to gain access to your server use the following command:
$ tail -f /var/log/secure
And if you want to remove a banned IP address from the denyhosts, use the following command to stop denyhost firstly:
$ /etc/init.d/denyhosts stop
And then use the following lines to remove or delete the banned IP address completely:
$ nano /etc/hosts.deny
$ nano /var/lib/denyhosts/hosts
$ nano /var/lib/denyhosts/hosts-restricted
$ nano /var/lib/denyhosts/hosts-root
$ nano /var/lib/denyhosts/hosts-valid
$ nano /var/lib/denyhosts/users-hosts
After removing the banned IP address, you have to restart the denyhost using the following command:
$ /etc/init.d/denyhosts start
If you want to find a specific address IP, the easiest way is to use the grep command like the following example by replacing wanted_IP with your selected address:
$ cd /var/lib/denyhosts
$ grep wanted_IP *
Congratulations! You have just installed DenyHosts on your CentOS Server.