Ubuntu 18.10 install DenyHosts to prevent exposed servers from being blasted by malicious ssh

Today, a friend suddenly remembered to see if the server had been blasted by malicious ssh, but he didn't know if it did. There are still a lot of friends like us after checking on github.. A great God has written the plug-in, just use it directly.

Originally, I was going to turn off password access, and then change the port. Later, I thought, it's really inconvenient to turn off password access. The port can be scanned out as well. It's better to be a little tough and pull black directly.

1, About DenyHost:

Deny hosts is a program software written based on Python 2. It runs on Linux to prevent SSH brute force cracking. It will analyze the log file (/ var/log/auth.log) of sshd. When repeated attacks are found, the IP will be recorded in the / etc/hosts.deny file, and will be listed in the blacklist of system firewall

  • DenyHosts website: Click access http://denyhosts.sourceforge.net/

Important tips!!!

Before using this software, it's better to clear the existing system log, because the software will scan the existing log files, if it detects that your allowed number is less than the number of ip errors in the log. Then even the ip in the previous log will be blocked.

So it is recommended to clean up the old log first, and restart the system log service after cleaning up!!

$ sudo cat /dev/null > /var/log/auth.log  
$ sudo service rsyslog restart    # If the system log service is restarted, auth.log will no longer be recorded, and denyhost will not be scanned, which is equivalent to waste

2, DenyHost installation

Take ubuntu for example

  $ sudo apt-get update      # Update ubuntu software source:
  $ sudo apt-get install denyhosts   # Press "Y" when installing DenyHost
  $ tail -f /var/log/auth.log  # To view the log of the login system, denyhosts is the scanned log file

After installation, the program will automatically start to check whether to start the command:

$ sudo ps -ef | grep denyhosts

//Output: there are at least two records. The following process is ps
root      8680     1  0 13:38 ?         00:00:00 python /usr/sbin/denyhosts --daemon --purge --config=/etc/denyhosts.conf
yourname  15322 14556  0 22:19 pts/0    00:00:00 grep --color=auto denyhosts

Today, as soon as I installed the program, I scanned my log files, and found more than 300 people trying to log in to my server. Oh, my God,
Is there any treasure on my server?

Catalog:

/var/lib/denyhosts/ # All the logs in the working directory of the program are here
/etc/hosts.deny # Blacklisted ip

Detailed interpretation of configuration file

SECURE_LOG = /var/log/auth.log   # ssh log file  
HOSTS_DENY = /etc/hosts.deny    # Write block IP to hosts.deny
PURGE_DENY =     # After a long time, clear the forbidden ones. Empty means never to lift the ban. w means week, d means day, h means hour, s means second, m means minute
BLOCK_SERVICE = sshd   # Block service name
DENY_THRESHOLD_INVALID = 5  # The number of login failures allowed for invalid users (not listed in / etc/passwd), and the number of login failures allowed for invalid users
DENY_THRESHOLD_VALID = 5  #  The number of login failures allowed for ordinary users
DENY_THRESHOLD_ROOT = 5  #  Number of root login failures allowed
DENY_THRESHOLD_RESTRICTED = 1  #  Set deny host to write to this folder
WORK_DIR = /var/lib/denyhosts/   # Record deny's host or ip to work dir
SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS = YES
HOSTNAME_LOOKUP=no  # Do you want to reverse domain name
LOCK_FILE = /run/denyhosts.pid  # The pid started by DenyHOts is recorded in the LOCK FILE to ensure that the service is started correctly and prevent multiple services from being started at the same time.
IPTABLES = /sbin/iptables  # Firewall script file
ADMIN_EMAIL = youremailaddress@domain.com  # Set multiple addresses to receive notification messages, separated
SMTP_HOST = localhost  # SMTP server address
SMTP_PORT = 25  # port
SMTP_USERNAME = senderemailaddress@domain.com  # Received mailbox see sender's email address
SMTP_PASSWORD= password   # The service using the third-party email usually has the authorization code, not the email password
SMTP_FROM = DenyHosts senderemailaddress@domain.com  # Show who the sender is 
SMTP_SUBJECT = DenyHosts Report  # Mail theme
AGE_RESET_VALID=1d  # Time for valid user login failure count to zero
AGE_RESET_ROOT=1d  # Time for root login failure count to zero
AGE_RESET_RESTRICTED=5d  # Time for user's failed login count to reset to 0
AGE_RESET_INVALID=10d  # Time to zero invalid user login failure count
DAEMON_LOG = /var/log/denyhosts  Own log file
DAEMON_SLEEP = 30s
DAEMON_PURGE = 5m  # This is the same time that the users of hosts.deniedsh will be cleared as the purge ﹣ deny setting

Related commands

$ sudo service denyhosts start  
$ sudo service denyhosts stop
$ sudo service denyhosts restart
$ sudo service denyhosts status   # If the startup fails, you can view the error information
$ sudo dpkg -l|grep denyhost   # Check if denyhost is installed
$ sudo apt-get purge denyhost  # Uninstall denyhost

What should I do if I seal my ip by mistake? I just started to install it. In order to test it, I sealed my ip address, which took a long time to complete.

I can't remove the ip from hosts.deny after I mistakenly sealed it. Later, it was found that the official website had an explanation.

But the problem came. I followed his method, but it still couldn't work. Later, I uninstalled the software directly, and restarted the server. I found that my ip was still blocked, so I don't need to think about it. It must be a system level ban. indeed. implement

$ sudo iptables -L  # View firewall rules for all firewalls on this computer

Found my own ip.

Because the official didn't provide an order to remove the banned ip, I wrote a one click removal script for you here.

IP=$1
if [ -n "$IP" ];then
    if [[ $IP =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]];then
        service denyhosts stop
        sed -i "/$IP/d" /etc/hosts.deny
        sed -i "/$IP/d" /var/lib/denyhosts/hosts-valid
        sed -i "/$IP/d" /var/lib/denyhosts/users-hosts
        sed -i "/$IP/d" /var/lib/denyhosts/hosts
        sed -i "/$IP/d" /var/lib/denyhosts/hosts-root
        sed -i "/$IP/d" /var/lib/denyhosts/hosts-restricted
        iptables -D INPUT -s $IP -j DROP
        echo $IP remove from Denyhosts
        service denyhosts start
    else
        echo "This is not IP"
    fi
else
    echo "IP is empty"
fi

Use to create a new file with suffix. sh, copy the following code in, and execute
$sudo chmod +x name.sh

Unblock ip command
$ sudo ./name.sh 127.0.0.1

Add white list ip ⬇ official website introduction

command

$ sudo vim /var/lib/denyhosts/allowed-hosts  
# Then write your white list ip in line by line, and the last character supports wildcards*

Now look at my inbox:

I've looked at ip. There are both foreign and domestic ones...

OK, that's the end of the tutorial. If you have any questions, you can leave a message

Published 2 original articles, praised 0 and visited 18
Private letter follow

Tags: sudo iptables ssh firewall

Posted on Sat, 15 Feb 2020 00:19:18 -0800 by katlis