How To Setup DenyHosts to defend against Brute-Force Attack on Ubuntu?
-
Eric Wei
- 2 Min To Read
- 27 Jul, 2021
Recently I found there were lots of hackers who used the Brute Force SSH Attack Tool to login attempts on my servers. If I check the SSH log file – /var/log/auth.log, I will find too many suspected source IPs to add to a blacklist of firewalls.
Hopefully, DenyHosts written in Python is a tool that makes my life easier. It will automatically parse SSH logs and set up malicious IPs in a blacklist.
In this tutorial, you will learn how to set up this tool on Ubuntu.
Install DenyHosts
cd Denyhosts
sudo python setup.py install
Copy the daemon file to the /etc/init.d/ directory.
sudo cp /usr/local/bin/daemon-control-dist /etc/init.d/denyhosts
Open the script and change it below
sudo vi /etc/init.d/denyhosts
DENYHOSTS_BIN = “/usr/local/bin/denyhosts.py”
Add white-list IP to the file below
sudo vi /etc/hosts.allow
sshd:Your Server IP
Configuration
sudo vi /etc/denyhosts.conf
<pre class="wp-block-code"><code># DENY_THRESHOLD_ROOT: block each host after the number of failed
# login attempts has exceeded this value. This value applies to
# "root" user login attempts only.
#
DENY_THRESHOLD_ROOT = 3
######################################################################
#
# HOSTNAME_LOOKUP
#
# HOSTNAME_LOOKUP=YES|NO
# If set to YES, for each IP address that is reported by Denyhosts,
# the corresponding hostname will be looked up and reported as well
# (if available).
#
HOSTNAME_LOOKUP=YES
# DENY_THRESHOLD_VALID: block each host after the number of failed
# login attempts has exceeded this value. This value applies to valid
# user login attempts (eg. user accounts that exist in /etc/passwd) except
# for the "root" user
#
DENY_THRESHOLD_VALID = 10
ADMIN_EMAIL = Your Email</code></pre>
Stop DenyHosts.
sudo /etc/init.d/denyhosts stop
After setting the DenyHosts and monitoring the SSH log for few days, I still found a few malicious IPs trying to login attempts on my servers. In order to secure my system, it is necessary to change the default port of SSH.
The following information details how to do it.
Step 1 As root, edit the sshd configuration file.
vi /etc/ssh/sshd_config
Step 2 Edit the listen port below.
Port 50683
Step 3 Switch over to the new port by restarting SSH.
/etc/init.d/ssh restart
Step 4 Verify SSH is listening on the new port instead of using the default port on 22.
ssh username@hostname.com -p 50683
If you want to dive deeply, Abuse IP DB allows you to check where your malicious IPs come from.
You might be interested in