Wednesday, April 29, 2009

HowTo: Using DenyHosts to help thwart SSH attacks on FreeBSD

DenyHosts is a script intended to be run by UNIX-like system administrators to help thwart SSH server attacks (also known as dictionary based attacks and brute force attacks).

I've used it before on Gentoo Linux and liked it, so today I'll lay out the steps required to install and configure it on FreeBSD:
  1. % su
  2. # cd /usr/ports/security/denyhosts
  3. # make install clean
  4. # echo 'denyhosts_enable="YES"' >> /etc/rc.conf
  5. # echo 'syslogd_flags="-s -c"' >> /etc/rc.conf
  6. # echo "sshd : /etc/hosts.deniedssh : deny" >> /etc/hosts.allow
  7. # echo "sshd : ALL : allow" >> /etc/hosts.allow
  8. # touch /etc/hosts.deniedssh
  9. Edit /usr/local/etc/denyhosts.conf and uncoment the BLOCK_SERVICE = sshd entry.
  10. # /usr/local/etc/rc.d/denyhosts onestart
Steps 1 to 3 deal with the installation procedure.

From step 4 to 9, rc.conf is updated so that DenyHosts is started at boot time and can act as a daemon monitoring SSH unauthorized login attempts registering them in hosts.deniedssh.

Finally, step 10 starts DenyHosts imediattely.

If you wish to learn more about DenyHosts have a look at the project's homepage at http://denyhosts.sourceforge.net.

4 comments:

Anonymous said...

you might also want to edit /usr/local/bin/denyhosts.py and change the first line to #!/usr/local/bin/python instead of #!/usr/loca/bin/python2.5

Anonymous said...

note: I misspelled "local", sorry

tangram said...

Hi there!

I don't see the added value of pointing to python2.5. Actually I just the opposite: one more customization to remember of, for example, if python increments version one would have to remember to edit denyhosts.py.

Thanks for the input anyways.

tangram said...

And I forgot to mention that /usr/local/bin/python and /usr/local/bin/python2.5 are the same file ;)