denyhosts

Denyhosts on your server or desktop system to help further prevent unwanted attacks or access to your systems.

 

# yum install denyhosts

 

# vi /etc/denyhosts.conf

 

HOSTS_DENY = /etc/hosts.deny
Defines the active ban list.

PURGE_DENY = 6y
I figure the average hardware lifecycle of servers is 2 years or less so 6 years should be plenty if i want an IP permanently banned.

PURGE_THRESHOLD = 1
This step assures a repeat offender is forever banned and maintained in /etc/hosts.deny

BLOCK_SERVICE = ALL
I’ve set this to “ALL” because if any user is attempting malicious entry to the system,I want all potential avenues of damage to be cut-off instantly. Bans can easily be lifted,a compromised system could rob you of a lifetime of work and effort.

DENY_THRESHOLD_INVALID = 1
I’ve set this value to 1 attempt for a user without an account on the system attempting to login, they obviously have no right even trying to login so they should be blocked immediately.

DENY_THRESHOLD_VALID = 3
I’ve set known user login attempts to 3 for increased security in a login/pass scenario. For added security you can restrict access only to users with the proper ssh id_dsa or id_rsa keys. (see fedorasolved.org for more info on setting this up.)

DENY_THRESHOLD_ROOT = 1
Since i’ve set my sshd_config to refuse root logins, I want this set to only 1 attempt at root login before the offending IP is banned since no one should be logging in as root.

DENY_THRESHOLD_RESTRICTED = 1
This refers to /var/lib/denyhosts/hosts-restricted, I don’t want these people logging in at all so i set the failed threshold to 1 attempt before banning the IP.

WORK_DIR = /var/lib/denyhosts
This defines the working directory for Denyhosts

SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES
This (YES) setting monitors all IPs (even allowed IPs) for suspicious connections or attempts and logs/reports this activity for investigation.

HOSTNAME_LOOKUP=YES
This setting allows for hostname lookup on all IPs reported by denyhosts.

ADMIN_EMAIL = sathisha@sathish.com
put the email address here you want mailed when new IP entries are added.

ALLOWED_HOSTS_HOSTNAME_LOOKUP=YES
This section refers to /var/lib/denyhosts/allowed-hosts file, which adds in a hostname lookup into the log entry.

AGE_RESET_VALID=5m
This section refers to resetting the allowed login attempts to 0 for valid users on the system after being locked out or using any of the 3 given attempts in the “DENY_THRESHOLD_VALID” variable above. Currently, this is set to reset to 0 after 5 minutes of inactivity (i.e. logging into the system).

AGE_RESET_ROOT=6y
This essentially is another step to make *sure* a specific banned IP *stays* banned.

AGE_RESET_RESTRICTED=25d
This section refers to login attempts made by the IPs listed in the /var/lib/denyhosts/hosts-restricted file. This lets us specify a time period after which the login attempts defined in the variable DENY_THRESHOLD_RESTRICTED is reset to 0 failed attempts.

AGE_RESET_INVALID=10d
Same as DENY_THRESHOLD_RESTRICTED above but for the variable DENY_THRESHOLD_INVALID which defines login attempts by usernames nonexistent on the system.

RESET_ON_SUCCESS = yes
This basically tells us if a valid user on the system accidentally fails logging in twice but then has success on the third attempt that we should immediately reset his faulty login attempt threshold to 0 again. (even admins forget login).

# service denyhost start
#chkconfig denyhost on

deny