Difference between revisions of "Denyhosts"
(added info about disabling emails) |
|||
| Line 1: | Line 1: | ||
| + | denyhosts is a useful program to stop the constant stream of failed SSH logins on a server if you don't want to (or can't) block SSH via iptables rules, or by changing the port it connects on. | ||
| + | |||
Install the EPEL repository. On CentOS 6, this is simple to do because the epel-release package is included in the centos-extras repository. | Install the EPEL repository. On CentOS 6, this is simple to do because the epel-release package is included in the centos-extras repository. | ||
| Line 53: | Line 55: | ||
# service denyhosts start | # service denyhosts start | ||
| + | |||
| + | The above config will send an email every time an IP is blocked and assumes that root@localhost will be delivered to you. If that email doesn't work, or you wish to get them somewhere else, edit the ADMIN_EMAIL line. If you don't want to receive an email every time an IP is blocked, set ADMIN_EMAIL to an empty value (nothing after the = in the config file). | ||
Latest revision as of 16:08, 15 January 2015
denyhosts is a useful program to stop the constant stream of failed SSH logins on a server if you don't want to (or can't) block SSH via iptables rules, or by changing the port it connects on.
Install the EPEL repository. On CentOS 6, this is simple to do because the epel-release package is included in the centos-extras repository.
# yum install -y --enablerepo=extras epel-release # yum install -y --enablerepo=epel denyhosts
Make a backup of the original denyhosts config. There are plenty of options in there including documentation for each option so you might want to refer back to it.
# mv /etc/denyhosts.conf /etc/denyhosts.conf.orig
Create a new denyhosts config file.
# cat > /etc/denyhosts.conf <<EOF SECURE_LOG = /var/log/secure HOSTS_DENY = /etc/hosts.evil PURGE_DENY = 4w PURGE_THRESHOLD = 2 BLOCK_SERVICE = DENY_THRESHOLD_INVALID = 2 DENY_THRESHOLD_VALID = 4 DENY_THRESHOLD_ROOT = 2 DENY_THRESHOLD_RESTRICTED = 2 WORK_DIR = /var/lib/denyhosts SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES HOSTNAME_LOOKUP=YES LOCK_FILE = /var/lock/subsys/denyhosts ADMIN_EMAIL = root@localhost SMTP_HOST = localhost SMTP_PORT = 25 SMTP_FROM = DenyHosts <root@\$[HOSTNAME]> SMTP_SUBJECT = DenyHosts Report from \$[HOSTNAME] SYSLOG_REPORT=YES AGE_RESET_VALID=5d AGE_RESET_ROOT=25d AGE_RESET_RESTRICTED=25d AGE_RESET_INVALID=10d RESET_ON_SUCCESS = yes DAEMON_LOG = /var/log/denyhosts DAEMON_SLEEP = 30s DAEMON_PURGE = 1h EOF
Create an empty hosts.evil file ready for hosts.deny to access.
# touch /etc/hosts.evil # echo "sshd:/etc/hosts.evil" >> /etc/hosts.deny
Set it to start automatically on boot
# chkconfig denyhosts on
Start the service immediately. This command may well take a while to run because it will be parsing all of the current log file looking for previous failed SSH attempts.
# service denyhosts start
The above config will send an email every time an IP is blocked and assumes that root@localhost will be delivered to you. If that email doesn't work, or you wish to get them somewhere else, edit the ADMIN_EMAIL line. If you don't want to receive an email every time an IP is blocked, set ADMIN_EMAIL to an empty value (nothing after the = in the config file).
