Set up DenyHosts with Email Notifications on Debian

DenyHosts is a Python script that monitors server’s access logs to prevent brute force attacks. The script automatically blocks SSH attacks by adding entries to /etc/hosts.deny

Software

Software used in this article:

  1. Debian Wheezy
  2. DenyHosts 2.6-10
  3. Stunnel 4.53

Installation

Install DenyHosts:

# apt-get update && apt-get install denyhosts

At the time I write this, the latest release of DenyHosts v2.6 does not support TLS/SSL for SMTP authentication. However, TLS/SSL support should be added to v2.7.

To login to our email server securely, we are going to use Stunell. As we mentioned earlier, Stunnel is a program designed to work as an SSL encryption wrapper, and can be used to add SSL functionality to DenyHosts.

# apt-get install stunnel4

Stunell Configuration

Create /etc/stunnel/stunnel.conf file with appropriate SSMTP settings:

# cat > /etc/stunnel/stunnel.conf <<EOF
[ssmtp]
client = yes
accept = 25
connect = mail.example.com:465
EOF

Open /etc/default/stunnel4 and change ENABLED field value from “0″ to “1″ to have the tunnels start up automatically on system boot. File then should look something as below:

# cat /etc/default/stunnel4
ENABLED=1
FILES="/etc/stunnel/*.conf"
OPTIONS=""
PPP_RESTART=0

Restart stunnel daemon:

# /etc/init.d/stunnel4 restart

Check with netstat if stunnel is listening on port 25:

# netstat -nltp | grep :25
tcp  0   0 0.0.0.0:25   0.0.0.0:*   LISTEN   24687/stunnel4

DenyHosts Configuration

Whitelist Own IPs

The first thing to do is to whitelist those private/public IPs that we cannot afford to be blocked so we’d not be locked out of our own server. These IPs need to be added to /etc/hosts.allow, for example:

# echo "ALL: 10.32.1.10" >>/etc/hosts.allow

Customise DenyHosts

Next thing to do is to backup the default /etc/denyhosts.conf configuration file:

# cp /etc/denyhosts.conf /etc/denyhosts.conf.backup

Since we are going to provide our SMTP credentials, it’s a wise idea to restrict file access to the root user only:

# chmod 0600 /etc/denyhosts.conf

Now , we can start customising DenyHosts. Below is the content of our configuration file, with handy comments, of course.

# cat /etc/denyhosts.conf
       ############ THESE SETTINGS ARE REQUIRED ############

# Debian sshd logs
SECURE_LOG = /var/log/auth.log

# The file which contains restricted host access information
HOSTS_DENY = /etc/hosts.deny

# Remove HOSTS_DENY entries that are older than 1 day
PURGE_DENY = 1d 

# The service name that should be blocked in HOSTS_DENY
BLOCK_SERVICE  = sshd

# Block each host after 2 failed invalid login attempts
# This value applies to invalid (non-existent) user login attempts
DENY_THRESHOLD_INVALID = 2

# Block each host after 10 failed valid login attempts
# This value applies to valid user logins (except the root user)
DENY_THRESHOLD_VALID = 10

# Block each host after 1 failed root login attempt
DENY_THRESHOLD_ROOT = 1

# Block each host after 1 failed login attempt
# This value applies to usernames that appear in the 
# WORK_DIR/restricted-usernames file only
DENY_THRESHOLD_RESTRICTED = 1

# The full path that DenyHosts will use for writing data to
WORK_DIR = /var/lib/denyhosts

# Do not report suspicious login attemps from allowed-hosts
SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS = NO

# Do not do hostname lookups 
HOSTNAME_LOOKUP = NO

# Lock file on Debian
LOCK_FILE = /run/denyhosts.pid

       ############ THESE SETTINGS ARE OPTIONAL ############

# Email to get notifications about restrictd hosts
ADMIN_EMAIL = [email protected]

# Using Stunnel on localhost
SMTP_HOST = localhost
SMTP_PORT = 25

# SMTP login credentials 
SMTP_USERNAME = [email protected]
SMTP_PASSWORD = password

# Specifies "From:" address in messages sent from DenyHosts
SMTP_FROM = DenyHosts <[email protected]>

# Specifies the "Subject:" of messages sent by DenyHosts
SMTP_SUBJECT = DenyHosts Report

# Reset failed valid user login attemps count to 0 after 5 days
AGE_RESET_VALID = 5d

# Reset failed root login attemps count to 0 after 5 days
AGE_RESET_ROOT = 5d

# Reset failed restricted login attemps count to 0 after 5 days
# This applies to all entries found in the WORK_DIR/restricted-usernames
AGE_RESET_RESTRICTED = 5d

# Reset failed invalid login attemps count to 0 after 5 days
AGE_RESET_INVALID = 5d

# Set failed count to 0 if the login is successful
RESET_ON_SUCCESS = yes

   ######### THESE SETTINGS ARE SPECIFIC TO DAEMON MODE  ##########

# The logfile that DenyHosts uses to report its status
DAEMON_LOG = /var/log/denyhosts

# The amount of time DenyHosts will sleep between polling the SECURE_LOG
DAEMON_SLEEP = 30s

# Run purge mechanism to expire old entries in HOSTS_DENY every 1h 
DAEMON_PURGE = 1h

The last thing to do is to restart the DenyHosts daemon:

# /etc/init.d/denyhosts restart

Related Posts

OpenSSH Server Installation and Configuration

Leave a Reply

Your email address will not be published. Required fields are marked *