Protect your server with DenyHosts
Written by Guillermo Garron
Date: 2007-01-29 10:36:30 00:00
Whenever you need to left open the port 22 for ssh you machine from every where,but want to prevent Dictionary attacks, you can use DenyHosts to stay protected First thing you need as DenyHost runs as a python script, is to be sure you python installed. On Ubuntu or debian
apt-get install python wget
then get DenyHosts itself from its page. here, or if using Debian or Ubuntu you can just enter:
apt-get install denyhosts
and go directly to edit the configuration file, if you want to have it from the source, follow to the next step.
tar xvzf DenyHosts-2.6.tar.gz
cd DenyHosts-2.6
python setup.py install
Now, you should configure to fit your needs, first copy the conf file example
cp /usr/share/denyhosts/denyhosts.cfg-dist /usr/share/denyhosts/denyhosts.cfg
Now edit the denyhosts.cfg
vi /usr/share/denyhosts/denyhosts.cfg
and make sure you have this two options how your distro of Linux needs
SECURE_LOG = /var/log/auth.log
LOCK_FILE = /var/run/denyhosts.pid
The above example is for Debian / Ubuntu, etc. Here you have how should be for some of other Linux distributions
# Redhat or Fedora Core:
#SECURE_LOG = /var/log/secure
#
# Mandrake, FreeBSD or OpenBSD:
#SECURE_LOG = /var/log/auth.log
#
# SuSE:
#SECURE_LOG = /var/log/messages
Now make it possible for DenyHosts to run as a daemon
cd /usr/share/denyhosts cp daemon-control-dist daemon-control vi daemon-control
Make sure this is like your distro needs
###############################################
#### Edit these to suit your configuration ####
###############################################
DENYHOSTS_BIN = "/usr/bin/denyhosts.py"
DENYHOSTS_LOCK = "/var/lock/subsys/denyhosts"
DENYHOSTS_CFG = "/usr/share/denyhosts/denyhosts.cfg"
PYTHON_BIN = "/usr/bin/env python"
for Ubuntu / Debian you should change the
###############################################
#### Edit these to suit your configuration ####
###############################################
DENYHOSTS_LOCK = "/var/lock/subsys/denyhosts.pid"
Make sure the root owns the daemon-control file, and the permissions are 700 so
chown root:root daemon-control
chmod 700 daemon-control
Now let's create the link for the daemon-control script
cd /etc/init.d ln -s /usr/share/denyhosts/daemon-control denyhosts update-rc.d denyhosts defaults /etc/init.d/denyhosts start
In RedHat Distributions you should do.
cd /etc/init.d ln -s /usr/share/denyhosts/daemon-control denyhosts chkconfig --add denyhosts && chkconfig denyhosts on service denyhosts start